Pierluigi Paganini January 21, 2018

Security expert Mikail Tunç analyzed Jenkins servers exposed online discovering that many instances leak sensitive information.

The researchers clarify that he did not exploit any vulnerabilities to gain access to Jenkins servers, he simply analyzed open ones.

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community.

The automation server supports developers build, test and deploy their applications, it has more than 133,000 active installations worldwide with more than 1 million users.

The researcher used the Shodan search engine to find Jenkins servers accessible online, he discovered roughly 25,000 instances. The analysis of approximately half of them revealed that 10-20% were misconfigured, then the researchers manually analyzed each of them and notified affected vendors.

Tunç highlighted that Jenkins typically requires credentials to the code repository and access to an environment in which to deploy the code, usually GitHub, AWS, and Azure. Failure to configure the application correctly can expose data to serious risk.

The researcher discovered that many misconfigured systems provided guest or administrator permissions by default, while others allowed guest or admin access to anyone who registered an account.

Tunç also found some Jenkins servers that implemented SAML/OAuth authentication system linked to Github or Bitbucket, unfortunately, they allowed any GitHub or Bitbucket account to log in rather than legitimate owners.

“Misconfigured in this context means any one of the following:

• Wide open to the internet with either guest or administrative permissions by default – guest can be just as catastrophic and damaging as having admin rights
• The web application was behind a log-in prompt but allowed ‘self-registration’ which granted guest or admin rights
• The web application was behind a SAML/OAuth log-in linked to Github or Bitbucket but was misconfigured to allow anyGithub/Bitbucket account to log-in to Jenkins rather than being locked down to the organisation’s user pool

” wrote the expert in a blog post.

Tunç reported that almost all of the misconfigured instances he analyzed also leaked sensitive information, including credentials for private source code repositories, credentials for deployment environments (e.g. usernames, passwords, private keys and AWS tokens), and job log files that included credentials and other sensitive data.

The researcher also found Google had exposed sensitive tokens on their Jenkins instance, the company promptly solved the problem after being informed via its bug bounty program.

Other instances discovered by the experts that belong to major organizations are:

• London’s government-funded transport body Transport for London;
• Supermarkets Sainsbury’s and Tesco;
• A company who manufacturers toys for children;
• Credit checking company ClearScore;
• Newspaper publisher News UK;
• educational publisher Pearson, and newspaper publisher News UK.

“It’s 2018 and most organisations don’t have the most basic of responsible disclosure processes in place. Surprisingly (or not) big names fall foul of this problem too.” concluded the researcher.

“If you work in InfoSec or are responsible for the security of your infrastructure, now’s a good time to methodically crawl through your infrastructure to ensure you’re not unknowingly exposing sensitive interfaces to the internet. It only takes one misconfigured instance to destroy your business.”

Pierluigi Paganini

(Security Affairs – CIA Director, email hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]