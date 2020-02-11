Jenkins, an open source server used to perform automated tasks, can be exploited by malicious people to conduct Distributed Denial of Service (DDoS) attacks.

DDoS attacks are possible due to a vulnerability in the Jenkins code base. The bug (tracked as CVE-2020-2100) has been fixed in Jenkins v2.219, released last month.

According to Jenkins security advice, Jenkins installations support two network discovery protocols, namely a UDP multicast / broadcast protocol and a second DNS multicast protocol.

Both protocols are enabled by default. They are used so that Jenkins servers can detect each other and work in clusters.

The UDP protocol is known to allow attackers to reinforce some of the traffic of DDoS attacks and then bounce on the intended target of the attack.

Last year, Adam Thorn of the University of Cambridge discovered that an attacker could do the same with the Jenkins UDP detection protocol (active on UDP port 33848), and abuse it to reinforce part of DDoS attacks and bounce off traffic .

“A one-byte request for this service would respond with more than 100 bytes of Jenkins metadata that can be used in a DDoS attack on a Jenkins master,” the Jenkins team said, suggesting that Jenkins servers could be misused in DDoS attacks that initially boost traffic up to 100 times toward attack targets.

A gain factor of 100 is considered above average, in the direction of quite dangerous.

However, ZDNet asked a source in the DDoS mitigation community last week to test this attack vector. The results have shown that, despite a fairly large gain, the attack is not reliable because (exposed on the internet) Jenkins servers tend to crash when they are abused in this way.

The bigger problem, however, is that the same bug has a secondary effect, namely that Jenkins servers can be misled to continuously send packets to each other, causing Jenkins servers to enter an infinite loop through the internet and eventually crash.

Companies that have Jenkins servers on the Internet are advised to update to v2.219, or at least block incoming traffic to the 33848 port.