T9

T1-24-02-S-N-CIKM

Jenkins Args4j (CVE-2024-23897)

What is Jenkins?

Jenkins is an open-source automation server that supports Continuous Integration (CI) and Continuous Delivery (CD) in software development. It is highly extensible with numerous plugins, automating tasks such as building, testing, and deploying to improve development efficiency. It is widely used in DevOps environments.

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

	OS	IP	Software	Log collection time	Program runtime
Attacker	Ubuntu 22.04	172.17.0.1	-	15 sec	30 sec
Victim	Ubuntu 22.04	172.17.0.2	Jenkins 2.441	15 sec	30 sec

Installing

python3 -m pip install -r requirements.txt

Using

sudo docker load -i T1-24-02-S-N-CIKM.tar
python3 run.py

MITRE ATT&CK Framework

Attack Tactic
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion
Credential	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact

Logs

./log/2024_02_T1_{time}.pcap # YYmmdd_HHMMSS

References

[1] NIST [CVE-2024-23897]
[2] Ahalab ASEC [Jenkins 취약점 노출 국내 서버 현황 (CVE-2024-23897, CVE-2024-43044)]
[3] hackyboiz - ogu123 [CVE-2024-23897: Jenkins 서버의 임의 파일 읽기 취약점]
[4] Trend Micro [Jenkins Args4j CVE-2024-23897: Files Exposed, Code at Risk]

※ Click on the attack name to see a description and scenario for the attack