The researchers clarify that he did not exploit any vulnerabilities to gain access to Jenkins servers, he simply analyzed open ones.
Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community.
The automation server supports developers build, test and deploy their applications, it has more than 133,000 active installations worldwide with more than 1 million users.
The researcher used the Shodan search engine to find Jenkins servers accessible online, he discovered roughly 25,000 instances. The analysis of approximately half of them revealed that 10-20% were misconfigured, then the researchers manually analyzed each of them and notified affected vendors.
Tunç highlighted that Jenkins typically requires credentials to the code repository and access to an environment in which to deploy the code, usually GitHub, AWS, and Azure. Failure to configure the application correctly can expose data to serious risk.
The researcher discovered that many misconfigured systems provided guest or administrator permissions by default, while others allowed guest or admin access to anyone who registered an account.
Tunç also found some Jenkins servers that implemented SAML/OAuth authentication system linked to Github or Bitbucket, unfortunately, they allowed any GitHub or Bitbucket account to log in rather than legitimate owners.
“Misconfigured in this context means any one of the following:
” wrote the expert in a blog post.
Tunç reported that almost all of the misconfigured instances he analyzed also leaked sensitive information, including credentials for private source code repositories, credentials for deployment environments (e.g. usernames, passwords, private keys and AWS tokens), and job log files that included credentials and other sensitive data.
The researcher also found Google had exposed sensitive tokens on their Jenkins instance, the company promptly solved the problem after being informed via its bug bounty program.
Other instances discovered by the experts that belong to major organizations are:
“It’s 2018 and most organisations don’t have the most basic of responsible disclosure processes in place. Surprisingly (or not) big names fall foul of this problem too.” concluded the researcher.
“If you work in InfoSec or are responsible for the security of your infrastructure, now’s a good time to methodically crawl through your infrastructure to ensure you’re not unknowingly exposing sensitive interfaces to the internet. It only takes one misconfigured instance to destroy your business.”
(Security Affairs – CIA Director, email hacking)