Jenkins servers are vulnerable to data theft, takeover, and cryptocurrency mining attacks as the attackers can exploit two vulnerabilities in these servers which will help them get admin rights or log in using invalid credentials.
The security researchers at CyberArk have discovered these two vulnerabilities and have reported privately to the Jenkins team for which patches have been received. But in spite of patching both the issues, there are still thousands of Jenkins servers available online.
Jenkins is an open source automation server written in Java. This web application for continuous integration permits the development teams to run automated tests and commands on code repositories based on test results, and even automate the process of deploying new code to production servers. Jenkins is widely used in most companies and they are favored by both freelancers and enterprises alike.
The first vulnerability (dubbed as CVE-2018-1999001) permits an attacker to provide deformed login credentials which causes Jenkins servers to move their config.xml file from the Jenkins home directory to another location.
If a hacker prompts the Jenkins server to crash and restart, or when the server restarts on its own, then the Jenkins server boots in a default configuration that provides no security.
In such a feeble setup, anyone can register on the Jenkins server and attain administrator access. When an attacker gets the administrator role, he can access any private source code, or alter the code to plant backdoors in a company’s apps.
The second vulnerability is CVE-2018-1999043 permits an attacker to create temporary user records in the server’s memory, allowing an attacker a short period when they could authenticate using ghost usernames and credentials.
These two vulnerabilities were fixed in July and August respectively, but all server owners have not cared to install these security updates.
There are thousands of online Jenkins installations and since the attacker does not required to be logged in, any of the online servers could have been attacked.
Besides there are also installations within closed networks that can’t be accessed online and so anyone with network access can pull off this attack.
It is found that there are about 2,000 vulnerable Jenkins servers, but it is believed that the total number of Internet-accessible vulnerable servers might even go over 10,000.
Earlier this year, cyber-criminals exploited some older vulnerabilities to take over Jenkins instances and misuse them to mine cryptocurrency, making huge money.
So, the Jenkins server owners are advised to patch it at the earliest to avoid attackers access their servers.