There has been an alert to DevOps to take precaution against an imminent Jenkins server exposure. Security researchers are warning that 12,000 cloud automation servers around the world could be hijacked to launch denial of service (DoS) attacks.
Radware issued an emergency response team threat alert yesterday after discovering 12,802 Jenkins servers that are still vulnerable to a flaw patched at the end of January.
Discovered by Adam Thorn of the University of Cambridge, CVE-2020-2100 affects Jenkins 2.218 and earlier as well as LTS 2.204.1 and earlier.
“Jenkins’ vulnerability is caused by an auto-discovery protocol that is enabled by default and exposed in publicly facing servers,” explained Radware security evangelist, Pascal Geenens. “Disabling the discovery protocol is only a single edit in the configuration file of Jenkins and it got fixed in last week’s patch from a default enabled to disabled.”
The bug could enable attackers to compromise exposed servers to launch two different types of DoS: an amplification attack and an infinite loop attack.
The latter was described by Geenens as “particularly nasty,” because “with a single spoofed packet, a threat actor can make two servers go into an infinite loop of replies, and they cannot be stopped unless one of the servers is rebooted or has its Jenkins service restarted.
“The same exposed service can also be abused by malicious actors to perform DDoS amplification attacks against random victims on the internet – victims do not have to run or expose Jenkins for the amplification attack to impact them,” he continued.
“If your DevOps teams are using Jenkins servers in their cloud or on-prem environments, there is a simple solution: either disable auto-discovery protocol if you do not use it or add a firewall policy to block access to port udp/33848.”
Open source Jenkins servers are popular among DevOps teams, which use them to build, test and deploy apps running in the cloud in environments such as Amazon Web Services, OVH, Hetzner, Host Europe, DigitalOcean and Linode.