In this week's Security Advisory:
- Security Advisory Update: Critical Remote Code Execution Vulnerability in Jenkins
- Critical Authentication Bypass Vulnerability in JetBrains TeamCity On-Premise Servers
- Critical Vulnerability in Shim Affects Multiple Linux Distributions
- Zero-Day in Windows Event Log Could Cause Denial-of-Service
- Security Updates Released for Google Chrome Desktop Browser and Android Products
Security Advisory Update: Critical Remote Code Execution Vulnerability in Jenkins
New threat intel indicates that the vulnerability (CVE-2024-23897) impacting Jenkins is now actively being exploited in the wild. It is recommended to update Jenkins to its latest version immediately.
Original Security Advisory - January 26th, 2024:
A critical vulnerability was discovered in Jenkins that could lead to remote code execution. Jenkins is a popular open-source Continuous Integration and Continuous Deployment (CI/CD) software that has hundreds of thousands of active installations. The vulnerability is being tracked as CVE-2024-23897 and is an issue in the command line interface's command parser feature that could allow an unauthenticated attacker to read arbitrary files on the affected server. Successful exploitation could lead to an attacker accessing files with cryptographic keys, passwords, credentials, source code, and other sensitive information. An attacker could leverage this information to execute remote code on the server. CVE-2024-23897 received a CVSS score of 9.8 out of a possible 10.
The following versions are affected:
- Jenkins 2.441 and earlier
- LTS 2.426.2 and earlier
Proof-of-concept exploits are available for this vulnerability, so organizations should update the affected server to its latest version immediately. If organizations cannot apply the latest patch, it is recommended to disable access to Jenkins command line interface.
More Reading/Information
- https://www.jenkins.io/security/advisory/2024-01-24/
- https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
- https://www.securityweek.com/critical-jenkins-vulnerability-leads-to-remote-code-execution/
- https://nvd.nist.gov/vuln/detail/CVE-2024-23897
- https://www.helpnetsecurity.com/2024/01/29/cve-2024-23897/
Critical Authentication Bypass Vulnerability in JetBrains TeamCity On-Premise Servers
JetBrains issued a patch to address critical authentication bypass vulnerability in its TeamCity On-Premise servers. TeamCity is a popular continuous integration and continuous delivery (CI/CD) server. The vulnerability, CVE-2024-23917, allows an unauthenticated attacker to bypass authentication and gain administrator privileges on the affected server. Successful exploitation could lead to an attacker executing remote code on the affected server. CVE-2024-23917 received a CVSS score of 9.8 out of a possible 10.
The following versions are affected:
- TeamCity On-Premise versions 2017.1 through 2023.11.2
Of note, TeamCity Cloud servers have already been patched.
More Reading/Information
- https://blog.jetbrains.com/teamcity/2024/02/critical-security-issue-affecting-teamcity-on-premises-cve-2024-23917/
- https://www.bleepingcomputer.com/news/security/jetbrains-warns-of-new-teamcity-auth-bypass-vulnerability/
- https://nvd.nist.gov/vuln/detail/CVE-2024-23917
Critical Vulnerability in Shim Affects Multiple Linux Distributions
A critical vulnerability was discovered in Shim that could lead to an attacker executing remote code. Shim is a piece of code that ensures that only trusted software can run during the boot process and is used on most Linux distributions that support Secure Boot. The vulnerability is being tracked as CVE-2023-40547 and is an out-of-bounds write issue in Shim's HTTP protocol handling. An attacker could exploit this vulnerability by sending specially crafted HTTP requests and gain remote code execution, potentially leading to complete system compromise. CVE-2023-40547 received a CVSS score of 9.8 out of a possible 10.
Shim is maintained by RedHat and is used in most Linux distributions that support Secure Boot, including Debian, Ubuntu, SUSE, and others.
More Information/Reading
- https://access.redhat.com/security/cve/CVE-2023-40547
- https://www.securityweek.com/most-linux-systems-exposed-to-complete-compromise-via-shim-vulnerability/
- https://eclypsium.com/blog/the-real-shim-shady-how-cve-2023-40547-impacts-most-linux-systems/
- https://nvd.nist.gov/vuln/detail/CVE-2023-40547
Zero-Day in Windows Event Log Could Cause Denial-of-Service
A zero-day was discovered in Windows Event Logs that could lead to a denial-of-service attack. The zero-day is called "EventLogCrasher" and could allow an authenticated attacker to crash the Event Log service on any machine within the network, including domain controllers. If an attacker crashes the Event Log service, any detection mechanisms (SIEM and IDS) ingesting Windows Event Logs will be blind as they can no longer view Windows events to trigger an alert. While this zero-day has not been actively exploited in the wild, a proof-of-concept exploit is available.
The following versions of Windows are affected:
- Windows 7 to Windows 11
- Windows Server 2008 R2 to Server 2022
More Reading/Information
- https://blog.0patch.com/2024/01/the-eventlogcrasher-0day-for-remotely.html
- https://www.bleepingcomputer.com/news/microsoft/new-windows-event-log-zero-day-flaw-gets-unofficial-patches/
- https://www.helpnetsecurity.com/2024/01/31/windows-event-log-vulnerability/
Security Updates Released for Google Chrome Desktop Browser and Android Products
There were security updates released for vulnerabilities found in Google Chrome and Android.
Google Chrome had a total of three (3) vulnerabilities, with two (2) given a severity rating of "High." The most severe can lead to arbitrary code execution and currently affects Windows, Mac, and Linux. There are no reports of these vulnerabilities being exploited in the wild.
Android released updates to address forty-six (46) vulnerabilities, with one (1) given a severity rating of "Critical." The most severe is being tracked as CVE-2024-0031 and is a vulnerability in the System component that could lead to an attacker executing remote code on the affected system without requiring user interaction. These vulnerabilities affect Android OS security patch levels prior to 2024-02-05.
More Reading/Information
- https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop.html
- https://source.android.com/docs/security/bulletin/2024-02-01
- https://www.securityweek.com/critical-remote-code-execution-vulnerability-patched-in-android/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
