GE Aviation server exposed in DNS misconfiguration

The Jenkins server has since been pulled offline

A Jenkins server belonging to a top aviation supplier was temporarily exposed to the public, revealing configuration details and plaintext passwords across the company’s internal network.

GE Aviation, the aerospace subsidiary of General Electric, quickly secured its files and pulled the Jenkins server offline after learning of the issue from researcher Bob Diachenko.

Jenkins is an open source automation server that helps developers build, test, and maintain their software.

Access to Jenkins is typically restricted to internal access only, although an attacker can exfiltrate information from exposed servers using various techniques or tools.

It is not known how long the server was exposed for.

Diachenko, who is known for scouring the internet for privacy fouling databases, informed the firm after discovering that what appeared to be internal systems were exposed on the internet.

“This Readme file found inside of the repository explains all the details about the nature and sensitivity of the files there. Server contained source code, plaintext passwords, configuration details, private keys from a variety of GE Aviation internal infrastructure,” Diachenko writes in a blog post published yesterday.

“Immediately upon discovery I have sent several notifications to the GE team and on their Twitter and was contacted by security team within a couple of hours after the alert made,” he said.

There are multiple reasons of how a Jenkins server could become public facing – GE Aviation told Diachenko that in its case a DNS misconfiguration issue was to blame.

GE Aviation said that the issue was medium-risk since the exposed data “mapped to applications only accessible from our internal network”.

No customer data or sensitive company information was impacted, it added.

“We have not seen any evidence that other parties have accessed the data on this server, GE Aviation writes in a statement to Diachekno.

“That said, as a precautionary measure, we reset all credentials exposed on the server.

“Our recommendation to other companies is to perform regular auditing of their static DNS mappings to ensure that mappings that no longer need to exist are deleted to avoid a similar situation.”

GE Aviation explained that an attacker would need access to its internal environment in order to exploit the credentials that had been made temporarily public.

The Daily Swig has reached out to GE Aviation for comment.

RELATED Free tool makes it easy for researchers to ‘pillage’ Jenkins server data