When major developer tools face security vulnerabilities, it can create loopholes in thousands of online services which rely on those tools. One such famous tool is Jenkins - a continuous integration tool for developers for running automated tests and commands on code repositories.
In a recent discovery, CyberArk reported two vulnerabilities in Jenkins, which were consequently fixed by the Jenkins team. However, as is often the case, the users of such tools are not always up to date on such security risks and the necessary mitigations. This has left thousands of Jenkins servers exposed to attackers who could use anonymous accounts to gain admin access to those servers.
CyberArk researchers, earlier this year, discovered a flaw in the authentication process of Jenkins which would allow an attacker to use irregular login credentials which caused a Jenkins server to shift their configuration file from its home directory to a different location.
To make a Jenkins server boot in a default configuration without any security, an attacker would just need to crash it, which would trigger an automatic restart or just wait for it to restart normally.
Under this scenario, attackers could then register their own account on the Jenkins server and gain administrator access. Once that is done, an attacker gains free reign to modify the source code managed by that server and even plant backdoors in the code.
This in itself, was a serious vulnerability, but it was not the only one. Researchers soon found another vulnerability which was equally dangerous for Jenkins servers’ owners.
Using the second vulnerability, an attacker could create temporary user records in the server’s memory, allowing them to authenticate using those records for the short period while those records remain in place.
The Jenkins team fixed both the flaws, the first one in July and the second one in August. The technical analysis of these two vulnerabilities can found here.
Though the vulnerabilities were fixed soon enough, it is not surprising that thousands of Jenkins installations still run an outdated version of the software which leaves them exposed to the attackers.
“Using this link, we can see there are close to 78,000 total online Jenkins installations. Since our attack example doesn't require the attacker to be logged in, any of these could have been attacked,” Nimrod Stoler from CyberArk, told ZDNet.
According to Stoler, there are many installations within closed networks which are not visible on Shodan’s search. Therefore, an attacker who gains access to those networks can exploit these vulnerabilities if the necessary precautions are not taken by the server owners.
Shodan shows over 2,000 Jenkins servers which are vulnerable. However, the real number could be higher than 10,000 according to ZDNet.
This is not the first time that Jenkins servers have faced serious threats from cybercriminals. In 2018, hacker a group was able to gain control over multiple Jenkins servers to exploit them for cryptocurrency mining. The group is estimated to have earned over $3.4 million in Monero tokens within a few months. It is recommended for Jenkins users to update their servers to the latest version to avoid exposure to such attacks.