GE Aviation is General Electric’s largest source of revenue these days, generating $29.7 billion in 2018. When a security researcher discovered thousands of the company’s sensitive files were exposed online he was understandably alarmed.
The leak was found by Bob Diachenko, cyber threat intelligence director at Security Discovery. Its source: a piece of software called Jenkins.
Diachenko happened upon the GE Aviation server while performing a routine search using Shodan. Shodan is a popular tool with security researchers and hackers alike, as it allows them to identify servers that are reachable over the Internet — including many that probably aren’t supposed to be.
Jenkins is one of those servers. It’s an open source tool that “helps to automate the non-human part of the software development process.” It’s a very useful tool for developers, but bad habits can turn it into a weak link in the security chain. Diachenko told Threatpost that one concern with Jenkins is that its main panel can be accessed without a master password.
It’s also not uncommon for developers to disable authentication systems in the name of convenience. That may not have been the case here. GE Aviation staff told Diachenko that a DNS (the service that lets a computer convert names like Forbes.com into IP addresses) configuration error caused the Jenkins instance to be exposed.
Diachenko spotted a variety of files including source code for GE Aviation software, configuration files, unencrypted passwords, and private encryption keys. He reported his findings immediately to GE’s security team who plugged the hole within a few short hours.
Despite the apparent sensitive of that data, GE Aviation classed the exposure as a “medium-risk vulnerability.” A spokesperson explained that the company found no evidence that systems had been accessed by unauthorized parties and that the exposed credentials would only have been useful from within GE’s network. There was no indication that such an intrusion had occurred.
Still, Diachenko says it’s “unknown for how long [the server] has been open for public access.” With the uptick in hacking incidents targeting U.S. entities like GE Aviation in recent years, any vulnerability or exposure — however small — could be disastrous. It would be extremely fortuitous if a white hat like Diachenko was the first to spot the open window.