Jenkins is an open-source software designed to create a continuous integration (CI) and continuous delivery and deployment environment for all language combinations and source code repositories. To using Jenkins automates the build, testing, and deployment to increase software quality and development productivity. It is a web-based console that can be combined with multiple authentication strategies and provides software automation development using more than 1800+ plugins. In addition to easy building and delivery, the strong plugin ecosystem contributed by the community, making it highly extensible and has more than 1 million users in the world.
There is an advantage of an open-source server that does not have expenses, but on the other way, there is a risk that it is easy for anyone to access. In particular, as many developers often upload their work to storage in the shared area to prevent version conflicts when developing a program, the vulnerable Jenkins server is likely to be attacked by hackers. In addition, hundreds of servers are often connected to a single Jenkins server to handle large-scale software projects. So, one neglected open-source server can lead to major cybersecurity flaws where attackers grasp hundreds of servers in their hands.
Dozens of Jenkins plugins zero-day vulnerabilities disclosed in the security blog Security Affairs on July 3 disproves this risk. In Criminal IP, IP addresses which using Jenkins server can be searched through various filters.
In Criminal IP, various filters can be used to query IP addresses that use Jenkins servers.
Searching Vulnerable Jenkins Server IP addresses Using Favicon Filter
The favicon filter of Criminal IP(https://www.criminalip.io) is a function that allows you to search for an IP address by searching for a favicon hash on a website. Favicon is a combined the word of “favorites + icon” that represents a website.
Almost all company and institutional websites and web pages of services provided to users are mostly applicable to these favicons. However, Criminal IP uses the favicon hash algorithm hexadecimal, so you can search after converting the decimal value identified from favicon hash calculator to hexadecimal. Based on this, searched favicon hash of Jenkins open-source server and it verify 2,663 IP address using it.
For more tips on using the favicon filter, refer to the Search Tip for detecting spoofed domains at the bottom of the article.
Search results for favicon: 4dce888 in Asset Search in Criminal IP
If you access one of the searched Jenkins open-source server websites, you will be able to access the actual Jenkins server page.
Exposed Jenkins server page without authentication
Searching for Jenkins Vulnerability Using “Title Filter”
Another way, with the title filter you can find the IP address using Jenkins open-source server. The title filter of Criminal IP(https://www.criminalip.io) shows the IP address containing the keyword in the title of the web page as the result. For more tips on using the title filter, refer to the Search Tip for detecting website defacement at the bottom of the article.
Search for “title: x-jenkins” in the Criminal IP Asset Search (https://www.criminalip.io/asset) identifies IP addresses that are using a total of six Jenkins open-source servers.
Results of searching for ‘title: x-jenkins’ in Asset Search on Criminal IP
In these results is a page that allows you to view the development source code immediately without any authentication.
Developer source code repository exposed to the outside world without any authentication
On this page, the software build status and waiting list could be viewed without any restrictions.
Software build status, waiting list that can be found without any authentication
In addition, the results of the already successful deployment could be seen without any restrictions.
Software distribution status that can be inquired without any authentication
This exposes a serious attack surface and can be a root of information leakage.
In addition to this, in Criminal IP(https://www.criminalip.io), you can lookup the IP addresses using Jenkins open-source server without the title and favicon at the top of the web page. You can find the total 4,196 Jenkins open-source servers by searching with the query below.
X_Hudson X_Jenkins 200
Results when searched with the keyword “X_Hudson X_Jenkins 200” on Criminal IP Asset Search
On this page, a lot of Jenkins open servers can be viewed without additional authentication. So, in the case of an open source server that can be easily accessed by anyone, special attention from the server administrator and periodic security check on the attack surface are required.
Source : Criminal IP (https://www.criminalip.io)