Critical, Actively Exploited Jenkins RCE Bug Suffers Patch Lag

A critical vulnerability in the Jenkins open source automation server is still being actively exploited seven months after its initial disclosure.

Jenkins is a two-decades-old, open source extensible tool, which software developers use to build, test, and deploy applications during continuous integration and continuous delivery (CI/CD). It reached 300,000 known installations in 2022, which, according to its developers, made it the world's most popular automation server.

Back in January, the Jenkins team revealed a command line interface (CLI) path traversal vulnerability that could allow unauthorized attackers to read arbitrary files on its controller file system. Though read-only in nature, the issue could allow an attacker to glean cryptographic keys helpful in escalating privileges and eventually gaining code execution privileges. Labeled CVE-2024-23897, it earned a "critical" 9.8 out of 10 score in the Common Vulnerability Scoring System (CVSS).

"If your Jenkins is compromised, it's quite a big deal, because Jenkins is at the core of your business software," explains Yaniv Nizry, vulnerability researcher for Sonar, who was first to discover the bug. "Attackers can sneak themselves into production, or inject their code, and there are many ways they can use it to get a further foothold. It could be very devastating."

And it remains under active exploitation today, according to the Cybersecurity and Infrastructure Security Agency (CISA), which this week added the flaw to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies at risk now have two weeks to remediate.

The Damage Already Wrought by CVE-2024-23897

The day it disclosed its vulnerability to the public, the Jenkins development team released a security fix along with detailed information about eight potential paths of exploitation.

Many developers, it seems, didn't implement the fix. Five days after the news broke, the Shadowserver Foundation counted 45,000 exposed instances across six continents.

White- and black-hat hackers alike immediately began testing out some of the exploits Jenkins outlined in its advisory. Evidence of exploitation arose within 24 hours after the news dropped. After 48 hours, multiple, working proofs of compromise (PoC) were made available on the public Web, allowing hackers to exploit any publicly discoverable Jenkins instances with minimal effort.

Two months later, Trend Micro found evidence that CVE-2024-23897 exploits were being bought and sold among threat actors. By that time, according to Shadowserver data, hundreds of related attacks had struck targets primarily concentrated in South Africa.

More attacks of a larger scale have occurred since. Over the summer, IntelBroker used CVE-2024-23897 to obtain credentials, which it then used to breach a corporate GitHub account, access private repositories, and steal the source code and other sensitive and proprietary data hosted there. Then, RansomExx exploited it to lock up IT systems at the digital payments provider Brontoo Technology Solutions, which had a ripple effect across Indian banks.

As Nizry emphasizes, there is no good reason why Jenkins users should not have patched already, or shouldn't patch immediately if they haven't yet.

"It's something quite recurring in security research — that when you use a third-party package, it could have a really huge impact, especially if it's an old one," he says. "Maybe it had some useful feature in the past, and now, suddenly, that feature can become a security issue."