A vulnerability (CVE-2020-2100) in 12,000+ internet-facing Jenkins servers can be abused to mount and amplify reflective DDoS attacks against internet hosts, Radware researchers have discovered.
The vulnerability can also be triggered by a single, spoofed UDP packet to launch DoS attacks against those same vulnerable Jenkins servers, by forcing them into an infinite loop of replies that can’t be stopped unless one of the servers is rebooted or has its Jenkins service restarted.
About the vulnerability (CVE-2020-2100)
CVE-2020-2100, discovered and responsibly disclosed by Adam Thorn from the University of Cambridge, is caused by a network discovery service (UDP multicast/broadcast) that is enabled by default and exposed in publicly facing servers.
“The vulnerability allows attackers to abuse Jenkins servers by reflecting UDP requests off port UDP/33848, resulting in an amplified DDoS attack containing Jenkins metadata. This is possible because Jenkins/Hudson servers do not properly monitor network traffic and are left open to discover other Jenkins/Hudson instances,” Radware researchers explained.
“An attacker can either send a UDP broadcast packet locally to 255.255.255.255:33848 or they could send a UDP multicast packet to JENKINS_REFLECTOR:33848. When a packet is received, regardless of the payload, Jenkins/Hudson will send an XML response of Jenkins metadata in a datagram to the requesting client, giving attackers the ability to abuse its UDP multicast/broadcast service to carry out DDoS attacks.”
The vulnerability was fixed in Jenkins 2.219 and LTS 2.204.2 two weeks ago by disabling Jenkins’ two network discovery services (UDP multicast/broadcast and DNS multicast) by default.
“Administrators that need these features can re-enable them again by setting the system property hudson.DNSMultiCast.disabled to false (for DNS multicast) or the system property hudson.udp to 33848, or another port (for UDP broadcast/multicast),” Jenkins developers explained in an advisory.
An alternative to disabling the UDP multicast/broadcast service is to add a firewall policy to block access to port UDP/33848.
“Much like was the case with memcached, people that design and develop on the open source Jenkins project assume that these servers will be internally facing,” Pascal Geenens, Cyber Security Evangelist for Radware, told Help Net Security.
Unfortunately, the reality is that many Jenkins servers end up being publicly exposed.
Radware scanned the internet for Jenkins servers vulnerable to CVE-2020-2100, and discovered nearly 13,000 of them distributed across the globe, but mostly in Asia, Europe and North America. Also, most of the exposed servers are located within the top service providers.
“Many DevOps teams depend upon Jenkins to build, test and continuously deploy their applications running in cloud and shared hosting environments such as Amazon, OVH, Hetzner, Host Europe, DigitalOcean, Linode, and many more,” Geenens noted.
Radware’s researchers determined the average bandwidth amplification factor for the Jenkins reflective amplification attack across all currently exposed servers: 3.00.
“Combined with over 12,000 exposed Jenkins servers globally, it creates a viable DDoS threat,” the researchers concluded.