Radware’s threat research has surveyed the cybersecurity landscape related to Jenkins Security Advisory 1641, also known as CVE-2020-2100, and confirm that over 12,000 exposed Jenkins’ servers can easily be abused by an attacker to launch distributed reflective denial-of-service (DrDoS) attacks with an average amplification factor of 3.00.
Radware’s threat research has surveyed the cybersecurity landscape related to Jenkins Security Advisory 1641, also known as CVE-2020-2100, and confirm that over 12,000 exposed Jenkins’ servers can easily be abused by an attacker to launch distributed reflective denial-of-service (DrDoS) attacks with an average amplification factor of 3.00. Exposed Jenkins servers are under an immediate threat of infinity reply loops between each other. That loop can be initiated by a remote attacker using a single, spoofed UDP packet.
On January 29, 2020, the Jenkins project published a security advisory containing a vulnerability with UDP amplification reflection attack potential. Security alert 1641, also known as CVE-2020-2100, reports the vulnerability discovered by Adam Thorn from the University of Cambridge and how it impacts Jenkins versions 2.218 and earlier as well as LTS 2.204.1 and earlier.
Jenkins, by default, supports two network discovery services: UDP multicast/broadcast and DNS multicast. The vulnerability allows attackers to abuse Jenkins servers by reflecting UDP requests off port UDP/33848, resulting in an amplified DDoS attack containing Jenkins metadata. This is possible because Jenkins/Hudson servers do not properly monitor network traffic and are left open to discover other Jenkins/Hudson instances. Jenkins/Hudson responds to any traffic on UDP port 33848. An attacker can either send a UDP broadcast packet locally to 255.255.255.255:33848 or they could send a UDP multicast packet to JENKINS_REFLECTOR:33848. When a packet is received, regardless of the payload, Jenkins/Hudson will send an XML response of Jenkins metadata in a datagram to the requesting client, giving attackers the ability to abuse its UDP multicast/broadcast service to carry out DDoS attacks.
Carefully crafted UDP packets can also make two Jenkins servers go into an infinite loop of replies, causing a denial of service against both servers. When exposed on the internet, port UDP/33848 becomes a public threat and can be abused for DrDoS or leveraged to take out multiple Jenkins clusters.
The vulnerability was fixed in Jenkins 2.219 and LTS 2.204.2 by disabling both UDP multicast/broadcast and DNS multicast by default. Administrators can reenable those features, but Radware advises ensuring those services are not exposed to the public internet.