Radware has issued an emergency response team threat alert after research confirmed that over 12,000 exposed Jenkins’ servers could easily be abused by an attacker.
Upon being discovered by Adam Thorn from the University of Cambridge, the Jenkins project published a security advisory on January 29, 2020, about the vulnerability, CVE-2020-2100, which impacts Jenkins version 2.218 and earlier as well as LTS 2.204.1 and earlier.
“Jenkins’ vulnerability is caused by an auto-discovery protocol that is enabled by default and exposed in publicly facing servers,” explained Radware security evangelist, Pascal Geenens. “Disabling the discovery protocol is only a single edit in the configuration file of Jenkins and it got fixed in last week’s patch from a default enabled to disabled.”
The vulnerability could allow attackers to compromise the exposed servers to launch an amplification attack and an infinite loop attack.
The latter could allow an attacker to initiate a reply loop between two servers, through a crafted packet, which cannot be stopped unless one of the servers is rebooted, or the Jenkins service is restarted.
“The same exposed service can also be abused by malicious actors to perform DDoS amplification attacks against random victims on the internet – victims do not have to run or expose Jenkins for the amplification attack to impact them,” Geenens continued.
“If your DevOps teams are using Jenkins servers in their cloud or on-prem environments, there is a simple solution: either disable auto-discovery protocol if you do not use it or add a firewall policy to block access to port udp/33848.”
The post #Privacy: Over 12,000 exposed Jenkins’ servers vulnerable to DDoS attacks appeared first on PrivSec Report.