Advisory Overview
Jenkins is an open source automation server used to build, test and deploy software projects. Attackers are rendering two services that are enabled by default in Jenkins (UDP multicast/broadcast and DNS multicast) unusable with Distributed Denial of Service (DDoS) attacks. The attacks are possible due to a publicly facing UDP port (33848) and improper network traffic monitoring. A patch has been issued to disable the services by default allowing administrators or developers to manually allow for these services if required.
Technical detail and additional information
What is the threat?
The services UDP multicast/broadcast and DNS multicast are both enabled by default in Jenkins unpatched versions and incoming traffic requests are not properly verified which can compromise the availability of Jenkins instances. A specially crafted request as small as a byte can be sent which will prompt the server to send a response back of 100 bytes or more which can cause a DDoS attack. Attackers can create a spoofed UDP packet with the source IP made to appear as the target machine and a destination IP of a vulnerable Jenkins server over port 33848. The server would return large amounts of data creating an amplified attack which could crash the victim’s device. Additionally, two Jenkins servers in the same network could receive spoofed UDP packets due to not discriminating incoming requests, but rather responding to every single request received causing them to infinitely reply to each other causing a Denial of Service (DoS) attack.
Why is this noteworthy?
This threat is noteworthy because Jenkins is an open source automation tool used by many organizations for tasks such as routine scripts or running projects, there are many servers in use. Shodan, a search engine used to see publicly facing devices and their vulnerabilities, shows over 260,000 Jenkins servers currently publicly facing. If administrators in charge of these servers do not ensure traffic is restricted and only desired or necessary traffic is allowed, many of these instances may be vulnerable to this exploit.
What is the exposure or risk?
Users of Jenkins may assume the servers and projects will be internally facing which would not leave them vulnerable to external attacks such as the vulnerability detailed above, however many are in fact public facing. A scan of servers vulnerable to this CVE revealed almost 13,000 servers vulnerable to this particular exploit. If these servers remained unpatched, attackers could manipulate them to cause DDoS attacks against their choice of targets.
What are the recommendations?
Update Jenkins to versions 2.219 or LTS2.204.2 and later to have the services disabled by default. If these services are necessary, administrators or developers can re-enable them by setting the system properties hudson.DNSMultiCast.disabled to false and/or hudson.udp to the port 33848 or another, obfuscated UDP broadcast/multicast port. Alternatively, administrators can add a firewall policy to block/restrict access to UDP port 33848.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.helpnetsecurity.com/2020/02/11/cve-2020-2100/
- https://nvd.nist.gov/vuln/detail/CVE-2020-2100
- https://securityboulevard.com/2020/02/nexus-intelligence-insights-cve-2020-2100-jenkins-udp-amplification-reflection-attack-leading-to-distributed-denial-of-service-ddos/
- https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1641
If you have any questions, please contact our Security Operations Center.