Skip to main content

Responsible Disclosure : Security Misconfiguration leading to HPE's Jenkins exposed to internet without authentication

Introduction

In the world of DevOps and CI/CD, Jenkins holds a special place as a versatile automation tool. However, like any software, it's not immune to security vulnerabilities or misconfiguration. In this blog post, we'll explore a recent Jenkins security misconfiguration issue I discovered and reported to HPE Security Response on 5th May 2023. Now that the issue is resolved, I'm sharing the technical details of the discovery. 

Disclaimer: Rest assured, no information has been disclosed to any third party, and no actions have been taken that could potentially harm the organization. It's important to clarify that no scanning of HPE assets has occurred. In adherence to the responsible disclosure process, I promptly reported the identified issue and maintained complete confidentiality for over 150+ days before sharing this disclosure. This publication strictly refrains from revealing any information related to HPE, their users, customers, or any associated entities.  This is work from my personal time and not related to any of my current or past employer.

A Focus on CICD Security and Jenkins

My research work in CICD security led me to closely examine Jenkins, a critical component in many development pipelines. For a deep dive into Jenkins Attack Surfaces, you can refer to my GitHub repository [here](https://github.com/dibsy/Recipies-Of-A-Jenkins-Hacker). 

Identifying Exposed Jenkins Controllers

The challenge at hand was identifying publicly exposed Jenkins controllers efficiently. To avoid extensive scanning efforts, I turned to Shodan, a specialized search engine for internet-connected devices. It helped me spot exposed Jenkins controllers quickly.

During a thorough analysis of numerous results using a custom analysis tool I developed ( https://github.com/dibsy/jenkills ), I came across multiple exposed instances associated with various organizations, including one within HPE.

Unearthing the Jenkins API Quirk

A significant hurdle emerged when trying to determine these controllers belonged to which organizations. Reverse IP lookups typically pointed to AWS / Azure where many Jenkins infrastructures are hosted as organizations prefer to use Cloud for CICD build environments. The other option would have been going into individual builds and investigating organization emails / internal urls.

My breakthrough came when I discovered a feature of the Jenkins API: "http://jenkins-server/api/json". This endpoint provides a ton of information about the Jenkins controller including a "url" key associated with a FQDN which points to the same IP. Sometimes this key can hold the value of the host IP. You can also find a generic response here https://github.com/dibsy/Recipies-Of-A-Jenkins-Hacker/tree/main/enumeration Please note the below response is from a test environment and does not belong to impacted org's Jenkins controller

Root Cause Analysis

Upon attempting to access the website via the discovered FQDN ( xxx.xxx.xxx.hpe.com:8443 ), I encountered certificate errors, indicating authentication issues. Many organizations rely on this method for secure access to their applications using from browser using a client certificate authentication. 

The issue likely stems from an initial design expectation that only successful authentication to the Jenkins controller would be allowed based on the Fully Qualified Domain Name (FQDN) of the controller. In such a design, a valid client certificate would facilitate authentication, while any other attempt would trigger a negotiation error, safeguarding the system.

However, the problem arose due to the absence of any restrictions when attempting to access the controller via its IP address. This oversight allowed Shodan to detect the exposed controller in the first place, revealing an unintended exposure.

Responsible Disclosure

In line with ethical practices, I exercised caution. Instead of probing for sensitive data, I selected a non-sensitive build to capture a screenshot for my report to the HPE Security Response Team.


A Silent Response

After reporting the security issue to HPE Security Response and waiting for more than 150+ days, I received no response from their side. In the spirit of transparency, I'm sharing this write-up now that the issue is resolved as I validated and no longer could reproduce this issue. 

Conclusion

Jenkins security is a continuous process, and identifying misconfigurations is a crucial part of that process. This journey highlights the technical aspects of uncovering a security issue and responsibly disclosing it. 

Popular posts from this blog

KringleCon : Sans Holiday Hack 2018 Writeup

SANS HOLIDAY HACK 2018 Writeup , KRINGLECON The objectives  Orientation Challenge  Directory Browsing  de Bruijn Sequences  Data Repo Analysis  AD Privilege Discovery  Badge Manipulation  HR Incident Response  Network Traffic Forensics  Ransomware Recovery  Who Is Behind It All? First I go to Bushy Evergreen and try to solve the terminal challenge . Solving it is fairly easy , Escape_Key followed by  ":q" without quotes After this we move to the kiosk and solve the questions The question were based on the themes of previous Holiday Hack Challenges. Once we answer it correctly we get the flag. For this I visited Minty Candycane and I tried to solve the terminal challenge.  The application has command injection vulnerability , so injecting a system command with the server ip allows execution of the command. So first I perform an `ls` operation to list of the directory contents , followed by a cat of t
Read more

Linux Privilege Escalation : SUID Binaries

After my OSCP Lab days are over I decided to do a little research and learn more on Privilege Escalation as it is my weak area.So over some series of blog post I am going to share with you some information of what I have learnt so far. The methods mentioned over here are not my own. This is something what I have learnt by reading articles, blogs and solving CTFs SUID - Set User ID The binaries which has suid enabled, runs with elevated privileges. Suppose you are logged in as non root user, but this suid bit enabled binaries can run with root privileges. How does a SUID Bit enable binary looks like ? -r- s r-x---  1 hack-me-bak-cracked hack-me-bak         7160 Aug 11  2015 bak How to find all the SUID enabled binaries ? hack-me-bak2@challenge02:~$ find / -perm -u=s 2>/dev/null /bin/su /bin/fusermount /bin/umount /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/gpasswd /usr/bin/newgrp /usr/bin
Read more

Bluetooth Low Energy : Build, Recon,Enumerate and Attack !

Introduction In this post I will try to share some information on bluetooth low energy protocol. Bluetooth Low Energy ( BLE ) is Bluetooth 4.0.It has been widely used in creating "smart" devices like bulbs that can be controlled by mobile apps, or electrical switches that can be controlled by mobile apps. The terms Low Energy refers to multiple distinctive features that is operating on low power and lower data transfer. Code BLE Internals and Working The next thing what we need to know is a profile. Now every bluetooth device can be categorized based on certain specification which makes it easy. Here we will take a close look into two profiles of Bluetooth which is specifically designed for BLE. Generic Access Profile (GAP) - This profiles describes how two BLE devices defines discovery and establishment of connection with each other. There are two types of data payload that can be used. The Advertising Data Payload and Scan Response Payload . The GAP uses br
Read more