This article is more than 1 year old
'This repository is private' – so what's it doing on the public internet, GE Aviation?
DNS config snafu bares Jenkins instance contents to world+dog
GE Aviation managed to expose a pile of its private keys on a misconfigured Jenkins instance that was exposed to the public internet, according to a security researcher who found it through Shodan.
"It took me only a couple of clicks to stumble upon a Jenkins server which appeared to be part GE Aviation internal commercial infrastructure," blogged Bob Diachenko, a researcher for consultancy Security Discovery.
It appeared, from what he found, that Diachenko had got into a backend repository powering GE Aviation's customer portal. The server, he said, "contained source code, plaintext passwords, configuration details, private keys from a variety of GE Aviation internal infrastructure" and more.
The key to large chunks of this information was contained in a readme file, which read in part: "This repository contains all of the configurations that are managed through Chef that are non application specific and shared between servers and applications... All of the configurations in this repository are potentially security sensitive so this repository is private and *ALL* forks of this configuration code must be private."
A DNS misconfiguration exposed the repo server. Diachenko told GE and the instance vanished from the publicly accessible internet within the day, following a response from the company within two hours.
GE Aviation builds engines that power a significant number of the world's airliners, including the Boeing 747 and that company's 787 Dreamliner. It employs around 40,000 people worldwide and supports 25,000 engines, including the widely used CF6 and CFM56 lines from its joint venture with France's SNECMA.
The company has not responded to The Register's request for comment, though it admitted to Diachenko that "plaintext usernames and passwords were exposed on this server, but these credentials mapped to applications only accessible from our internal network".
GE Aviation added that no customer data, nor "significant" GE data, was affected, and said a malicious person would need access to the company's internal environment to exploit them – but it reset all the creds anyway "as a precautionary measure".
"Our recommendation to other companies is to perform regular auditing of their static DNS mappings to ensure that mappings that no longer need to exist are deleted to avoid a similar situation," GE Aviation told Diachenko.
The researcher has been behind a number of discoveries of improperly secured data over the years, including a misconfiguration snafu by Veeam which exposed millions of their customers' records. ®
Biting the hand that feeds IT
