Jenkins servers can be abused for DDoS attacks

jenkins.png

Jenkins, an open source server used to perform automated tasks, can be abused to launch distributed denial of service (DDoS) attacks.

DDoS attacks are possible because of a vulnerability in the Jenkins codebase. The bug (tracked as CVE-2020-2100) has been fixed in Jenkins v2.219, released last month.

According to the Jenkins security advisory, Jenkins installations support two network discovery protocols namely an UDP multicast/broadcast protocol and a second DNS multicast protocol.

Both protocols are enabled by default. They are used so that Jenkins servers can detect each other and work in clusters.

The UDP protocol is universally known for allowing attackers to amplify traffic part of DDoS attacks, and then bounce it to the attack’s intended target.

Last year, Adam Thorn from the University of Cambridge, discovered that an attacker could do the same with the Jenkins UDP discovery protocol (active on UDP port 33848), and abuse it to amplify and bounce traffic part of DDoS attacks.

“A single byte request to this service would respond with more than 100 bytes of Jenkins metadata which could be used in a DDoS attack on a Jenkins master,” the Jenkins team said, suggesting that Jenkins servers could be abused in DDoS attacks that amplify initial traffic by up to 100 times towards attack targets.

An amplification factor of 100 is considered above average, towards being pretty dangerous.

However, ZDNet has asked a source in the DDoS mitigation community to test this attack vector last week. Results have shown that despite having a pretty large amplification factor, the attack isn’t reliable, as (internet-exposed) Jenkins servers tend to crash when abused this way.

The bigger issue, though, is that the same bug has a secondary effect, namely that Jenkins servers can be tricked into sending continous packets to each other, making Jenkins servers across the internet enter into an infinite loop and eventually crash.

Companies that have Jenkins servers exposed on the internet are advised to update to v2.219, or at least block any inbound traffic to the 33848 port.