CISA Issues Warning Over Critical Jenkins RCE Bug Being Leveraged in Ransomware Attacks

August 19, 2024

CISA has identified a serious vulnerability in Jenkins, a widely utilized open-source automation server that assists developers in automating the process of building, testing, and deploying software through continuous integration (CI) and continuous delivery (CD). The vulnerability, tagged as CVE-2024-23897, is due to a weakness in the args4j command parser. This can be exploited by unauthenticated attackers to read arbitrary files on the Jenkins controller file system via the built-in command line interface (CLI).

The Jenkins team clarified, "This command parser has a feature that replaces an @ character followed by a file path in an argument with the file's contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it."

Following the release of security updates by Jenkins developers on January 24, several proof-of-concept (PoC) exploits were published online. Some honeypots reportedly detected exploitation attempts just a day later. Shadowserver, a threat monitoring service, is currently tracking over 28,000 Jenkins instances exposed to CVE-2024-23897, with the majority located in China (7,700) and the United States (7,368). This represents a significant attack surface, down from over 45,000 unpatched servers identified in January.

According to a report by Trend Micro, exploitation of CVE-2024-23897 in the wild began in March. Earlier this month, CloudSEK reported that a threat actor known as IntelBroker had leveraged the vulnerability to infiltrate IT service provider BORN Group. More recently, Juniper Networks reported that the RansomEXX gang had exploited the vulnerability to compromise the systems of Brontoo Technology Solutions, a provider of technology services to Indian banks, in late July. This ransomware attack led to widespread disruptions to retail payment systems across the country.

In light of these reports, CISA added the security vulnerability to its Known Exploited Vulnerabilities catalog on Monday, warning that it is being actively exploited. Federal Civilian Executive Branch Agencies (FCEB) now have until September 9 to secure Jenkins servers on their networks against ongoing CVE-2024-23897 exploitation, as required by the binding operational directive (BOD 22-01) issued in November 2021. Although BOD 22-01 only applies to federal agencies, CISA strongly recommended all organizations to prioritize fixing this flaw to prevent potential ransomware attacks against their systems. CISA cautioned, "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," in its warning issued today.

Latest News

• Ivanti vTM Bug Exploit Attempts Detected, Experts Warn
• North Korea-linked Lazarus APT Exploits Microsoft Zero-Day CVE-2024-38193
• CISA Issues Warning: SolarWinds' RCE Vulnerability Being Exploited
• ValleyRAT Malware Campaign Targets Chinese Users with Sophisticated Techniques
• Microsoft Suspends BitLocker Security Patch, Recommends Manual Mitigation