Haoxi Tan

The Dig

July 10, 2024

Leaked Secrets in Public Jenkins Logs

Leaked Secrets in Public Jenkins Logs

Haoxi Tan

July 10, 2024

Tl;dr We discovered hundreds of publicly-exposed Jenkins servers that should have been protected with authentication; 3% had live credentials in their build logs. 



Jenkins, the popular open-source automation server, can be run locally or in the cloud; however, all Jenkins instances should be protected with authentication. Otherwise, threat actors can comb through build logs for sensitive information, execute remote code, or even move laterally to secondary nodes.

Unfortunately, we found hundreds of Jenkins servers publicly exposed on the internet without any authentication requirements and an alarming percentage of them revealed live API keys and passwords.

Identifying Public Jenkins Servers

To start our research, we built a list of public Jenkins servers that did not require any authentication using the search engine Shodan. 



A simple search for “Jenkins” on Shodan returned over 78,000 servers; however, most were honeypots or required some type of authentication. We used the nuclei template (http/technologies/jenkins-detect) to scan each server’s `/whoAmI/` endpoint to verify our level of access and filter our list.


nuclei -l targets.txt -t http/technologies/jenkins-detect -o urls.txt


We ended up with 453 live, publicly exposed Jenkins servers without any authentication requirements. 

Note: We did not attempt to bypass any forms of authentication. Instead, we only considered Jenkins servers that were browsable by anyone on the public internet.

Finding Secrets in Jenkins Build Logs

Using TruffleHog’s new Jenkins scanner, we checked each server’s build logs for secrets by running the following command:

trufflehog jenkins --url http://<IP>:<PORT>

TruffleHog identified 26 unique, live secrets from 14 different servers. That means just over 3% of all scanned servers contained at least one live secret.

The graph below shows the breakdown by secret type:



Unsurprisingly, nearly half of the tokens belonged to Cloud providers (AWS and Alibaba). The remainder belonged to popular SaaS providers such as GitHub, OpenAI and Slack.

Disclosures

As with all of our research, we attempted to disclose the results of our scans to the impacted users. Unfortunately, it’s not straightforward to determine who owns a Jenkins server. With a little bit of investigating, we managed to identify contacts for 10/14 servers. We sent them the following email:


Conclusion

While our research was not exhaustive, we validated that organizations are leaking live secrets on publicly- exposed Jenkins servers. If you administer a Jenkins server, we recommend the following:

  • Implement sufficient access controls to prevent attackers from reading the job build logs

  • Regularly scan build logs for secrets using a secret scanner

For more details on how to scan a Jenkins server using TruffleHog, please view this blog post or TruffleHog’s README.