Tl;dr We discovered hundreds of publicly-exposed Jenkins servers that should have been protected with authentication; 3% had live credentials in their build logs.
Jenkins, the popular open-source automation server, can be run locally or in the cloud; however, all Jenkins instances should be protected with authentication. Otherwise, threat actors can comb through build logs for sensitive information, execute remote code, or even move laterally to secondary nodes.
Unfortunately, we found hundreds of Jenkins servers publicly exposed on the internet without any authentication requirements and an alarming percentage of them revealed live API keys and passwords.
Identifying Public Jenkins Servers
To start our research, we built a list of public Jenkins servers that did not require any authentication using the search engine Shodan.
A simple search for “Jenkins” on Shodan returned over 78,000 servers; however, most were honeypots or required some type of authentication. We used the nuclei template (http/technologies/jenkins-detect) to scan each server’s `/whoAmI/` endpoint to verify our level of access and filter our list.
We ended up with 453 live, publicly exposed Jenkins servers without any authentication requirements.
Note: We did not attempt to bypass any forms of authentication. Instead, we only considered Jenkins servers that were browsable by anyone on the public internet.
Finding Secrets in Jenkins Build Logs
Using TruffleHog’s new Jenkins scanner, we checked each server’s build logs for secrets by running the following command:
TruffleHog identified 26 unique, live secrets from 14 different servers. That means just over 3% of all scanned servers contained at least one live secret.
The graph below shows the breakdown by secret type:
Unsurprisingly, nearly half of the tokens belonged to Cloud providers (AWS and Alibaba). The remainder belonged to popular SaaS providers such as GitHub, OpenAI and Slack.
Disclosures
As with all of our research, we attempted to disclose the results of our scans to the impacted users. Unfortunately, it’s not straightforward to determine who owns a Jenkins server. With a little bit of investigating, we managed to identify contacts for 10/14 servers. We sent them the following email:
Conclusion
While our research was not exhaustive, we validated that organizations are leaking live secrets on publicly- exposed Jenkins servers. If you administer a Jenkins server, we recommend the following:
Implement sufficient access controls to prevent attackers from reading the job build logs
Regularly scan build logs for secrets using a secret scanner
For more details on how to scan a Jenkins server using TruffleHog, please view this blog post or TruffleHog’s README.
