Discovered by University of Cambridge’s Dr. Adam Thorn and known as CVE-2020-2100, the flaw takes advantage of the fact that, by default, both UDP multicast/broadcast and DNS multicast traffic is enabled on Jenkins. Additionally, Jenkins does not properly verify incoming traffic requests. This proves to be problematic because it can essentially compromise the availability of a Jenkins instance. The instance can then be manipulated by an attacker to cause Distributed Denial of Service (DDoS) attacks against the attacker’s choice of target(s).
Image credit: https://en.wikipedia.org/wiki/File:Ddos-attack-ex.png
Jenkins is an open source automation tool used extensively by the developer community. Organisations use Jenkins to take care of menial tasks, such as running builds and routine scripts, and performing unit tests after every change, or as configured by a developer. You can see the reason behind Jenkins’ popularity – it’s appealing to devs when it comes to saving time and “automating away” the same, monotonous tasks which are an integral part of the software development workflow.
According to Shodan, upwards of 260,000 devices are currently running public-facing Jenkins server instances. Unless sysadmins behind them are super-diligent beings who have upgraded their Jenkins, a vast majority of these instances would (Read more…)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Akshay ‘Ax’ Sharma. Read the original post at: https://blog.sonatype.com/cve-2020-2100-jenkins-udp-amplification-reflection-attack-distributed-denial-of-service