A critical vulnerability has been identified in Jenkins, a widely used automation server. If exploited further, this vulnerability allows attackers to read arbitrary files from the Jenkins controller. If exploited further, it could potentially escalate to remote code execution (RCE).
This article you provided is a detailed technical analysis of a vulnerability in Jenkins, specifically CVE-2024-43044.
“The Jenkins team released an advisory (SECURITY-3430 / CVE-2024-43044) for an arbitrary file read vulnerability that allows an agent to be able to read files from the controller. This happens because of a feature that allows the controller to transmit the JAR files to agents. “
Jenkins operates on a controller/agent architecture. The controller manages agents, which execute tasks like building and testing software. Communication between the controller and agents is facilitated by the Remoting/Hudson library, using protocols such as Inbound (JNLP) or SSH.
The document you provided is a comprehensive technical analysis of a vulnerability in Jenkins, specifically CVE-2024-43044. Here’s a summary of the key points in paragraph format:
Technical Analysis: Jenkins Vulnerability CVE-2024-43044
The vulnerability (CVE-2024-43044) allows Jenkins agents to read arbitrary files from the controller. This is due to a flaw in the ClassLoaderProxy#fetchJar method, which does not restrict file paths that agents can request from the controller.
Jenkins, a widely used tool for automating software development tasks, has been found to contain a critical vulnerability, CVE-2024-43044, which allows Jenkins agents to read arbitrary files from the controller.
This vulnerability arises from a flaw in the ClassLoaderProxy#fetchJar method, which fails to restrict file paths that agents can request from the controller. This oversight can potentially escalate to remote code execution (RCE) if an attacker hijacks a Jenkins agent.
// hudson.remoting.RemoteClassLoader$ClassLoaderProxy.fetchJar
public byte[] fetchJar(URL url) throws IOException {
return Util.readFully(url.openStream());
}This code is designed to access the hudson.remoting.RemoteClassLoader, a class responsible for loading class files from a remote peer via a communication channel. The code particularly targets a Proxy object found in the proxy field of the RemoteClassLoader. The handler associated with this Proxy object is an instance of hudson.remoting.RemoteInvocationHandler.
private static class Exploit extends MasterToSlaveCallable {
private final URL controllerFilePath;
private final String expectedContent;
public Exploit(URL controllerFilePath, String expectedContent) {
this.controllerFilePath = controllerFilePath;
this.expectedContent = expectedContent;
}
@Override
public Void call() throws Exception {
final ClassLoader ccl = Thread.currentThread().getContextClassLoader();
final Field classLoaderProxyField = ccl.getClass().getDeclaredField("proxy");
classLoaderProxyField.setAccessible(true);
final Object theProxy = classLoaderProxyField.get(ccl);
final Method fetchJarMethod = theProxy.getClass().getDeclaredMethod("fetchJar", URL.class);
fetchJarMethod.setAccessible(true);
final byte[] fetchJarResponse = (byte[]) fetchJarMethod.invoke(theProxy, controllerFilePath);
assertThat(new String(fetchJarResponse, StandardCharsets.UTF_8), is(expectedContent));
return null;
}
} Jenkins operates on a controller/agent architecture, where the controller manages agents that execute tasks. Communication between the controller and agents is facilitated by the Remoting/Hudson library.
The vulnerability allows agents to bypass the Agent -> Controller Access Control system, which is designed to prevent unauthorized access.
This vulnerability can be exploited through various methods, including using agent secrets to establish unauthorized connections or attaching to a running Remoting process.
One notable exploitation technique involves forging a “remember-me” cookie for an administrator account, allowing attackers to gain access to the Jenkins Script Console and execute commands.
According to the Conviso report, This technique requires reading specific files to craft a valid cookie, leveraging the vulnerability to read binary files and entire file contents.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
Exploitation Path
- Arbitrary File Read: Attackers can use the vulnerability to read sensitive files from the Jenkins controller.
- Remote Code Execution (RCE): By hijacking an agent, attackers can escalate privileges to execute code on the Jenkins controller. This can be achieved by exploiting the Remoting library to establish unauthorized connections and execute malicious code.
The Jenkins team released a patch introducing a validator and Java system properties to control the fetchJar functionality. These properties help restrict unauthorized file access by validating URLs and rejecting unauthorized JAR files.
Exploit Techniques
- Inbound Agent Exploit: Attackers can use agent secrets to establish connections and exploit the vulnerability.
- SSH Connection Exploit: By attaching to a running Remoting process, attackers can inject malicious code without needing agent secrets.
- Remember-Me Cookie Forgery: Attackers can forge cookies to gain admin access, leveraging this to execute commands via the Jenkins Script Console.
The vulnerability poses significant risks, including potential data breaches and operational disruptions. Organizations using Jenkins should apply the patch and review their security measures to prevent exploitation.
Attackers can then execute malicious code on the Jenkins controller, potentially compromising sensitive data and disrupting operations.
The GIF image below demonstrates a successful exploitation of Jenkins Docker version 2.441 [9] using an inbound agent’s name and secret:
The Jenkins team has released a patch to address this issue, introducing a validator and Java system properties to control the fetchJar functionality. These measures aim to restrict unauthorized file access by validating URLs and rejecting unauthorized JAR files.
The analysis highlights the importance of securing Jenkins installations and applying the provided patch. Organizations using Jenkins should review their security configurations to prevent exploitation and protect their CI/CD pipelines from potential threats.
This analysis highlights the importance of securing CI/CD pipelines and maintaining vigilance against emerging threats.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial