3

When using a Bamboo cloud agent, on Windows, you're instructed to have a Bamboo Windows user with a default known password: Atlassian1.

It clearly says that this user should be configured to denied remote login.

But still, it's an active Windows user with a fair bit of permissions. Bamboo's server (cloud) interacts with the machine in a known port - 26224. Through this channel it sends all build commands, get build status from the remote agent etc.

What prevents a hacker from scanning the Internet, find a host with port 26224 open and start talking with the Bamboo agent? How does the agent know for sure that it talks to a legitimate Bamboo CI server?

I'm asking that in order to be fully confident that there is no possible attack vector.

Ofer Zelig
  • 17,068
  • 9
  • 59
  • 93
  • Regarding the bounty's comment: please disregard it. It was supposed to be used in another question, and I can't delete it. The bounty still applies of course. – Ofer Zelig May 27 '15 at 05:20

1 Answers1

3

The Security documentation for Bamboo states:

Please note the following security implications when enabling remote agents for Bamboo:

  • No encryption of data passed between server and agent — this includes data such as:

    • login credentials for version control repositories

    • build logs

    • build artifacts

  • No authentication of the agent or server — this could result in unauthorised actions being taken on your system, such as:

    • Unauthorised parties installing new remote agents — version control repository login credentials could be stolen.

    • Unauthorised parties masquerading as a Bamboo server — the unauthorised server could pass malicious code to the agent to run.

    • See Agent authentication for more information.

We strongly recommend that you do not enable remote agent installation on any Bamboo instance accessible from a public or untrusted network. Creating remote agents is Disabling and enabling remote agents support by default.

For public facing agents, Atlassian strongly recommends securing them which is done using SSL. See Securing your remote agents which contains this note:

This page applies to remote agents and not elastic agents. Elastic agents are secured automatically by the Bamboo server and no additional steps are required.

Further more to the Elastic Piece, their documentation on Elastic Bamboo Security states:

All traffic sent between the agents located in EC2 and the Bamboo server is tunnelled through an SSL-encrypted tunnel. The tunnel will be initiated from the Bamboo Server to the EC2 instance, which means that you don't need to allow any inbound connections to your server. You will need to permit outbound traffic from the server on the tunnel port, however - the default port number is 26224. On the EC2 instance, only the tunnel port needs to be open for inbound traffic.

Welsh
  • 5,138
  • 3
  • 29
  • 43
  • This is very close (still not getting me to the definite answer on how to protect a cloud agent by only allowing it access from the Bamboo cloud server - which I can't tell what its IP is) and leads me in the right direction. I'll mark this answer is accepted for now and hopefully if I'll have some more specific answer I'll put it here. In the mean time I hope there will be an authoritative answer from Atlassian or someone else. Thanks! – Ofer Zelig Jun 03 '15 at 01:06
  • 2
    You could lock it down on the windows firewall inbound rule to only allow certain IP addresses. This Atlassian document lists the current IP ranges used by Atlassian: https://confluence.atlassian.com/display/Cloud/Database+and+IP+information#DatabaseandIPinformation-IPAddressrange and alternatively you should be able to run a build and figure out what inbound connections are happening to the server to get the specific inbound IP. – Welsh Jun 03 '15 at 03:15
  • _This_ is the answer. I thought about the latter option before but it's very quirky, the former looks like something you can rely on. Thanks! – Ofer Zelig Jun 03 '15 at 04:18