A newly discovered vulnerability, identified as CVE-2024-43044, has emerged as a critical threat to Jenkins servers worldwide. Uncovered by security researchers at Conviso Labs, this vulnerability allows remote attackers to execute arbitrary file read operations, posing significant risks to organizations relying on Jenkins for their continuous integration and continuous deployment (CI/CD) pipelines. With Jenkins being a cornerstone of many development workflows, the potential for exploitation is immense, leading to credential theft, unauthorized code modifications, and disruptions in deployment processes.
Technical Details
CVE-2024-43044 is classified as an arbitrary file read vulnerability that allows Jenkins agents to access files on the Jenkins controller. The issue stems from the improper handling of file paths by the ClassLoaderProxy#fetchJar method on the Jenkins controller, which does not restrict the file paths that agents can request. This oversight enables attackers to gain unauthorized access to the controller’s file system, bypassing the Agent -> Controller Access Control system that has been a default security feature since Jenkins version 2.326.
The vulnerability revolves around how Jenkins handles JAR file transmissions between the controller and its agents. Specifically, the hudson.remoting.RemoteClassLoader is used to load class files from a remote peer through a channel. Attackers exploit this mechanism by manipulating a proxy object within the RemoteClassLoader, which is tied to a hudson.remoting.RemoteInvocationHandler. This handler invokes the fetchJar method via a Remote Procedure Call (RPC) to the Jenkins controller, enabling unauthorized access to files.
Here’s an example of the exploit code published by Conviso Labs:
This exploit demonstrates how an attacker can manipulate the fetchJar method to access arbitrary files on the Jenkins controller. The absence of proper validation for user-controlled URLs in the fetchJar method is a critical oversight that exposes Jenkins controllers to unauthorized file access.
Exploitation and Potential Impact
The proof-of-concept (PoC) exploit provided by Conviso Labs outlines a multi-step attack sequence that highlights the severe implications of CVE-2024-43044:
- Reference Acquisition: The exploit first acquires a reference to the
hudson.remoting.RemoteClassLoader. - File Reading: Using this reference, the attacker can read specific files from the controller’s file system.
- Data Extraction: Critical files are accessed to extract data necessary for further exploitation, such as forging cookies.
- User Enumeration: The exploit reads a list of Jenkins users, retrieving information such as user IDs, timestamps, seeds, and hashes.
- Cookie Forging: Using the extracted data, the attacker forges “remember-me” cookies for various users, ultimately gaining access to the Jenkins Scripting Engine.
- Command Execution: Once inside the scripting engine, the attacker can execute system commands on the Jenkins server.
- Credential Dumping: The attacker dumps usernames and hashes, which can then be cracked using tools like John the Ripper.
The potential impact of this vulnerability is extensive. By gaining access to the Jenkins Scripting Engine, attackers can execute arbitrary code, potentially leading to full system compromise. This not only puts the Jenkins server at risk but also any systems or services integrated with Jenkins.
Mitigation and Recommendations
The Jenkins team has released patches to address CVE-2024-43044. The vulnerability is resolved in Jenkins version 2.471 and long-term support (LTS) versions 2.452.4 and 2.462.1. Organizations using Jenkins are strongly advised to upgrade to these versions immediately to mitigate the risk posed by this vulnerability. Failing to update could leave systems exposed to severe security breaches, including remote code execution and unauthorized access to sensitive data.
For organizations unable to upgrade immediately, it is recommended to implement additional security controls around Jenkins servers, such as restricting network access, using strong authentication mechanisms, and closely monitoring server activity for any signs of exploitation.
Conclusion
CVE-2024-43044 underscores the critical need for robust security practices in CI/CD environments. Jenkins users must act swiftly to patch their systems and ensure that all security measures are in place to prevent exploitation. As development pipelines continue to be attractive targets for cyberattacks, maintaining up-to-date security practices remains essential for protecting sensitive data and maintaining the integrity of software deployments.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Hackers Leverage Google Sheets for Malware Command in Sophisticated Espionage Campaign
I very delighted to find this internet site on bing, just what I was searching for as well saved to fav