GE Aviation Passwords, Source Code Exposed in Open Jenkins Server
A DNS misconfiguration resulted in an open Jenkins server being available to all.
A public Jenkins server owned by GE Aviation has exposed source code, plaintext passwords, global system configuration details and private keys from the company’s internal commercial infrastructure.
GE Aviation, a subsidiary of General Electrics, is among the top commercial aircraft engine suppliers, and offers various airplane components. The server also contained a ReadMe file, outlining all the files it contained and their sensitivity.
Jenkins is an open source automation server written in Java. A misconfiguration in the server’s DNS scheme, which converts human readable domain names into computer readable IP-addresses, caused the impacted server to become exposed to the open internet, according to the company.
“Jenkins is a service instance used by developers for integration and deployment. It is accessed via browser and can keep very sensitive information,” said Bob Diachenko, the security researcher who discovered the exposed data, in a Monday post. “Apart from source code itself, which is IP (Intellectual iroperty), it’s possible to dig out config files, API tokens, database credentials and lot more.”
Diachenko stumbled upon the open server after checking how many open Jenkins instances are available for search via Shodan. As of July 7, 2019, there were 5,495 open and publicly available Jenkins instances, Diachenko said.
“The main issue with Jenkins (as with other service instances) is the absence of master password to access the panel. So data and code is visible to anyone,” Diachenko told Threatpost. “Developers just disable password protection for their own convenience (e.g. when working remotely on a project).”
Diachenko said that after discovering the open GE Aviation server in June, he sent several notifications to GE and was eventually contacted by the security team and the server secured. He said it is unknown how long it has been open for public access.
GE Aviation for its part classified the exposure as medium-risk, despite the number and sensitivity of exposed files. The company said that it has not seen any evidence that other parties accessed the data on the server, but reset all credentials as a “precautionary measure.”
“Plaintext usernames and passwords were exposed on this server, but these credentials mapped to applications only accessible from our internal network, and no customer data, nor any significant GE data, was impacted,” according to GE Aviation’s statement. “Furthermore, even if a malicious actor were to have acquired these credentials, they would also need access to our internal environment to exploit them.”
GE Aviation did not respond to a request for further comment from Threatpost.
Inadvertent data exposure continues to plague companies. In June, three publicly-accessible cloud storage buckets from data management company Attunity leaked more than a terabyte of data from its top Fortune 100 customers – including internal business documents, system passwords, sensitive employee information. In May, IT services provider HCL Technologies inadvertently exposed passwords, sensitive project reports and other private data of thousands of customers and internal employees on various public HCL subdomains. And in April, hundreds of millions of Facebook records were found in two separate publicly-exposed app datasets.