Securing Jenkins – Mitigating CVE-2024-23897 with AccuKnox

As enterprises scale their DevOps pipelines, continuous integration tools like Jenkins are vital, but securing them is crucial. In this blog, we’ll walk through a step-by-step guide to simulating an attack on Jenkins, exploiting CVE-2024-23897, and mitigating it using AccuKnox Runtime Security.

The newly discovered vulnerability, CVE-2024-23897, affects Jenkins CLI and exposes a critical flaw that could allow remote attackers to access arbitrary files and potentially escalate privileges. Discovered in Jenkins 2.441 and earlier, including LTS 2.426.2, the flaw is actively being addressed to mitigate risks.

This critical security issue arises from Jenkins’ command-line interface (CLI) feature, which uses the args4j library for argument parsing. When processing CLI commands, Jenkins enables expandAtFiles, which automatically replaces an @ character followed by a file path in command arguments with the file’s contents. Since this function is enabled by default in Jenkins, it introduces a critical risk: any user accessing Jenkins’ CLI could read arbitrary files from the system by including a @ symbol followed by the target file path in their commands.

Severity: Critical (CVSS 9.8/10)
Affected Versions: Jenkins 2.441 and earlier, LTS 2.426.2 and earlier
Root Cause: Improper argument parsing in Jenkins CLI
Potential Impact: Arbitrary file read and remote code execution

If an attacker gains access to sensitive files, they may escalate their privileges, gaining unauthorized access to additional data or systems. This vulnerability could be exploited to read configuration files, credentials, or other critical information, ultimately allowing the attacker to compromise Jenkins’ functionality and the security of applications deployed via Jenkins.

Simulating the Attack in a Kubernetes Cluster

To demonstrate the impact of CVE-2024-23897, we’ve deployed Jenkins (version 2.441) to a Kubernetes (K8s) cluster.

With Jenkins up and running, we will exploit CVE-2024-23897 to attempt to read the /etc/passwd file, a typical reconnaissance step used by attackers to gain insights into system users. We will use the exploitation proof-of-concept (PoC) script. You can find the PoC script and detailed instructions at this link.

python3 CVE-2024-23897.py --url http://172.16.250.135:32000 -f /etc/passwd

After sending the crafted request, we observe a partial output of the /etc/passwd file, demonstrating unauthorized data exposure as anticipated.

Defend with AccuKnox Runtime Security

AccuKnox Runtime Security provides powerful, real-time protection against unauthorized or malicious activities by enforcing security policies directly in your environment. By integrating AccuKnox’s policies, you can proactively block exploitation attempts and secure sensitive files from unauthorized access.

Let’s walk through the steps to protect Jenkins from such attacks using AccuKnox Runtime Security:

1. Ensure AccuKnox Runtime Security is Configured

Verify that AccuKnox Runtime Security is installed and configured on your Kubernetes cluster to enable security enforcement.

2. Navigate to Policies

In the AccuKnox dashboard, go to the Policies section under the Runtime Security tab.

3. Upload or Edit a Policy for Jenkins

Upload a pre-configured policy or use the policy editor to create a custom policy for Jenkins. And activate the policy.

This policy will be configured to block access to sensitive files such as /etc/passwd, /etc/shadow, and system logs, preventing unauthorized access.

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: jenkins
  namespace: demo
spec:
  action: Block
  file:
    matchDirectories:
    - dir: /etc/ssh/
    matchPaths:
    - path: /etc/passwd
    - path: /etc/shadow
    - path: /var/log/auth.log
    - path: /var/log/wtmp
    - path: /var/run/utmp
  message: Access sensitive files detected
  selector:
    matchLabels:
      app: jenkins
  severity: 1

This policy ensures that any attempt to read or modify sensitive files by unauthorized sources is immediately blocked.

Once AccuKnox Runtime Security policies are applied, the same attempt to access /etc/passwd is blocked. AccuKnox effectively prevents unauthorized access to sensitive files, ensuring that Jenkins remains secure against such exploits.

After the policy enforcement, an alert is triggered in the AccuKnox SaaS dashboard, notifying us of the blocked access attempt. The alert provides detailed information about the blocked activity, including the source of the request and the path of the sensitive file that was protected.

By using AccuKnox Runtime Security, you achieve real-time protection and prevent unauthorized file access, safeguarding Jenkins against potential exploitation.

You can protect your workloads in minutes using AccuKnox, It is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF.

Let us know if you are seeking additional guidance in planning your cloud security program.