Blog Main Image

Threat Alert: Jenkins CLI Vulnerability – Remote Code Execution

INFORMATIONAL ONLY

A critical vulnerability has been identified in Jenkins, a leading open-source automation server, impacting versions up to 2.441 (LTS 2.426.2). This vulnerability stems from the use of the args4j library in the Jenkins command-line interface (CLI), allowing malicious actors to exploit a feature named 'expandAtFiles' to read arbitrary files on the Jenkins controller file system.

The 'expandAtFiles' feature, enabled by default in affected versions, replaces an '@' character followed by a file path in a command argument with the content of the referenced file. This exposes a critical security loophole that could allow attackers to read sensitive files, including cryptographic keys.

IMPACT:

  • Attackers with Overall/Read permission can read the entire content of files on the Jenkins controller file system.
  • Attackers without Overall/Read permission can read the first few lines of files, with the number of lines depending on available CLI commands. As of now, the Jenkins security team has confirmed up to three lines of content can be accessed in recent releases.
  • Special Note on Binary Files: Binary files containing cryptographic keys used in Jenkins features can be read with some limitations. The Jenkins security team has confirmed potential attacks leveraging attackers' ability to obtain cryptographic keys from binary files. These attacks rely on the default character encoding of the process, potentially exposing a significant portion of the secret key.

MITIGATION:

Immediate Patching: Apply the latest security updates from Jenkins to address this vulnerability. Upgrade to version 2.442 (LTS 2.426.3) or a later release.

Access Control: Review and limit access permissions for users, ensuring that only authorized personnel have Overall/Read permission.

Monitor CLI Commands: Regularly monitor and audit CLI commands for any suspicious activity.

File System Review: Conduct a thorough review of critical files and directories for signs of unauthorized access or modification.

Communication Encryption: If cryptographic keys are at risk, consider regenerating and replacing them. Ensure secure storage and transmission of these keys.

Additional Considerations: Given the nature of this vulnerability, the risk extends to instances where cryptographic keys are involved. It is crucial to assess the potential impact on any system relying on Jenkins for security-sensitive operations.

**Short- Term Workaround*** In the case of administrators being unable to immediately update to Jenkins 2.442, LTS 2.426.3 - we recommend disabling access to the CLI to prevent exploitation completely, this workaround does not require a Jenkins restart. This is a stopgap measure until the administrators are able to update.

What does this mean for Quadrant customers? Our team of Threat Analysts are monitoring the situation closely and will update our detections as soon as indicators are available.

CLICK HERE TO SIGN UP FOR FREE THREAT ALERTS TO YOUR INBOX.

Scroll To Top Arrow