In the wake of the serious Jenkins vulnerability impacting at least 12,000 Jenkins servers, we dedicate February’s Nexus Intelligence Insights to helping you solve it.
This vulnerability is clever; it opens up two potential lines of attack. One is through amplification and reflection; the other kickstarts an infinity loop. Both malicious possibilities are described below.
But first, how was CVE-2020-2100 discovered, who and what does it affect, and how can it be fixed?
Type of Vulnerability: CWE-406 / Network Amplification, leading to Denial of Service (DoS)
CVSS 3.1 Score: 5.8
CVSS 3.1 Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
Discovered by University of Cambridge’s Dr. Adam Thorn and known as CVE-2020-2100, the flaw takes advantage of the fact that, by default, both UDP multicast/broadcast and DNS multicast traffic is enabled on Jenkins. Additionally, Jenkins does not properly verify incoming traffic requests. This proves to be problematic because it can essentially compromise the availability of a Jenkins instance. The instance can then be manipulated by an attacker to cause Distributed Denial of Service (DDoS) attacks against the attacker’s choice of target(s).
Image credit: https://en.wikipedia.org/wiki/File:Ddos-attack-ex.png
Jenkins is an open source automation tool used extensively by the developer community. Organisations use Jenkins to take care of menial tasks, such as running builds and routine scripts, and performing unit tests after every change, or as configured by a developer. You can see the reason behind Jenkins’ popularity – it’s appealing to devs when it comes to saving time and “automating away” the same, monotonous tasks which are an integral part of the software development workflow.
According to Shodan, upwards of 260,000 devices are currently running public-facing Jenkins server instances. Unless sysadmins behind them are super-diligent beings who have upgraded their Jenkins, a vast majority of these instances would (Read more…)