Radware has issued an emergency response team threat alert after research confirmed that over 12,000 exposed Jenkins’ servers could easily be abused by an attacker.
Upon being discovered by Adam Thorn from the University of Cambridge, the Jenkins project published a security advisory on January 29, 2020, about the vulnerability, CVE-2020-2100, which impacts Jenkins version 2.218 and earlier as well as LTS 2.204.1 and earlier.
“Jenkins’ vulnerability is caused by an auto-discovery protocol that is enabled by default and exposed in publicly facing servers,” explained Radware security evangelist, Pascal Geenens. “Disabling the discovery protocol is only a single edit in the configuration file of Jenkins and it got fixed in last week’s patch from a default enabled to disabled.”
The vulnerability could allow attackers to compromise the exposed servers to launch an amplification attack and an infinite loop attack.
The latter could allow an attacker to initiate a reply loop between two servers, through a crafted packet, which cannot be stopped unless one of the servers is rebooted, or the Jenkins service is restarted.
“The same exposed service can also be abused by malicious actors to perform DDoS amplification attacks against random victims on the internet – victims do not have to run or expose Jenkins for the amplification attack to impact them,” Geenens continued.
“If your DevOps teams are using Jenkins servers in their cloud or on-prem environments, there is a simple solution: either disable auto-discovery protocol if you do not use it or add a firewall policy to block access to port udp/33848.”
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/