Warning Issued by CISA Regarding Ongoing Jenkins CI/CD Tool Exploits

Warning Issued by CISA Regarding Ongoing Jenkins CI/CD Tool Exploits

In a concerning turn of events, a critical Local File Inclusion (LFI) vulnerability in Jenkins, a popular open-source tool used by more than 11 million developers worldwide, has been actively exploited by malicious actors. This vulnerability, identified as CVE-2024-23897, allows unauthenticated attackers to read arbitrary files, including sensitive ones like , potentially compromising secret keys and tokens[1][2][5].

The vulnerability affects Jenkins versions up to 2.441 and LTS 2.426.2, exploiting a CLI command parser feature that improperly handles '@' characters followed by file paths[2][4]. This issue poses a significant risk to the federal enterprise, as the Cybersecurity and Infrastructure Security Agency (CISA) has added it to its known exploited vulnerabilities catalog[3].

The vulnerability was initially disclosed in January, and scans from a threat tracking service showed nearly 50,000 unpatched Jenkins instances in the same month[6]. Shadowserver tracked more than 31,000 Jenkins instances potentially exposed to the vulnerability on Monday[7].

One of the most alarming incidents involving this vulnerability was a ransomware attack on Brontoo Technology Solutions in late July, which disrupted banks in India[8]. If successfully exploited, this vulnerability can lead to the leakage of sensitive files and data, potential command execution, and enable a ransomware attack[5].

Key Recommendations for Patching and Mitigation:

1. Upgrade Jenkins immediately to a fixed version: Jenkins 2.442 or later (post-2.441) contains patches that disable the vulnerable CLI command parser feature, closing the LFI vector[2][5].
2. Apply security advisories and official Jenkins patches: Follow Jenkins advisory updates for specific patch details and apply them promptly to vulnerable installations[5].
3. Implement network-level controls and monitoring: Limit access to Jenkins CLI ports and interfaces to trusted users or networks only, reducing exposure to unauthenticated attackers[1].
4. Use virtual patching if immediate upgrade is infeasible: Solutions like Cato Networks’ Rapid CVE Mitigation can provide automated virtual patching that blocks exploitation attempts without requiring customer intervention[4].
5. Audit Jenkins credentials and tokens post-exploitation: If compromise is suspected, rotate all Jenkins-hosted credentials such as SSH keys, tokens, and API keys to prevent later misuse[1].

Given that this vulnerability has been actively exploited in the wild, organizations should treat CVE-2024-23897 as a high-priority risk and remediate urgently[1][5].

Jenkins, with a 45% share of the CI/CD market, is an open-source tool managed by the Linux Foundation's Continuous Delivery Foundation[9]. It is crucial for users to prioritise the security of their Jenkins instances to avoid falling victim to these attacks.

[1] https://www.cisecurity.org/advisory/cve-2024-23897/ [2] https://www.juniper.net/documentation/us/en/security-center/threat-analysis-reports/tc51142/jenkins-vulnerability-cve-2024-23897.html [3] https://www.cisa.gov/uscert/ncas/alerts/aa23-113a [4] https://www.cato.net/blog/cve-2024-23897-jenkins-vulnerability-rapid-cve-mitigation [5] https://www.juniper.net/documentation/us/en/security-center/threat-analysis-reports/tc51142/jenkins-vulnerability-cve-2024-23897.html [6] https://www.zdnet.com/article/more-than-50000-jenkins-instances-are-still-vulnerable-to-critical-ransomware-exploit/ [7] https://www.bleepingcomputer.com/news/security/more-than-31000-jenkins-instances-potentially-exposed-to-vulnerability/ [8] https://www.infosecurity-magazine.com/news/jenkins-vulnerability-linked-to-indian-banking-attack/ [9] https://www.jenkins.io/foundation/continuous-delivery-foundation/

1. Due to the active exploitation of the CVE-2024-23897 vulnerability in Jenkins, cybersecurity teams should prioritize patching their Jenkins instances to protect against potential ransomware attacks.
2. Given that this vulnerability can lead to command execution, the leakage of sensitive files and data, and enable a ransomware attack, technology companies must address this cybersecurity issue as a significant risk.

Read also: