Phase 8 — Edge Infrastructure
VPN
(vpn.corezoid.com → 34.250.252.21)
- Identified as OpenVPN Access Server via
Server: OpenVPN-ASheader - Ports open: 80, 443
- Port 8888 (OpenVPN-AS admin port) closed — good, admin interface not publicly reachable
- Nmap
sT -T2reportedtcpwrappedon 443, meaning the handshake is happening but detailed version fingerprint couldn't be extracted - Filed as CRZ-005 — Info
Jira
(jira.corezoid.com → 54.246.145.93,
79.125.30.11)
- Jira Server 7.12.3 (2018-10-12) — EOL, vulnerable to multiple CVEs
- Filed as CRZ-006 — Critical
- Ehcache RMI ports (40001/40011/40021/40031/40051/40061/40071) filtered — CVE-2020-36239 not directly exploitable
/secure/ContactAdministratorsform is DISABLED — CVE-2019-11581 primary vector mitigated (but many other vectors remain)- Anonymous REST API access allowed for:
/rest/api/2/serverInfo,/rest/api/2/dashboard,/rest/api/2/mypermissions,/rest/api/2/field, issue search (empty) - No actual issue data leaked to anonymous — authorization on issue content is intact
Confluence
(confluence-ferma.corezoid.com)
- Returns 503 Service Unavailable — offline
- Customer-branded ("Ferma")
- Cannot fingerprint version
- If brought back online, recommend version check for CVE-2022-26134 OGNL, CVE-2023-22515 etc.
Dev host
corezoid-ma.dev.corezoid.com
(84.8.218.23)
- SSH exposed on port 22 with banner
SSH-2.0-OpenSSH_8.7(Aug 2021 release, ~4.5 years of missed patches) - Vulnerable to CVE-2024-6387 (regreSSHion) if glibc Linux — unauth RCE as root
- Filed as CRZ-007 — High
- Ports 80, 443 also open
admin-oleg.dev.corezoid.com
(34.249.23.157)
- Named-developer dev subdomain — classic forgotten-asset risk pattern
- All 1000 top TCP ports filtered — nothing public-reachable
- Not currently an attack surface, but DNS entry should be cleaned up if host is no longer needed
admin-pre.corezoid.com
- Resolves to internal AWS ELB + RFC1918 IPs (10.50.0.0/16)
- Filed as CRZ-001 — Low
- Not reachable from outside — ELB is internal
Internal
GitLab (gitlab-mambu.corezoid.com,
registry.gitlab-mambu.corezoid.com)
- Both unresponsive to HTTPS probes from my location — may be IP-allowlisted or down
- Customer-branded GitLab ("Mambu")
- If live, GitLab has a long CVE history (CVE-2021-22205 unauth RCE via EXIFtool being the notorious one for old versions)
- Recommend internal audit of which IP ranges can reach these
Confluence
git.corezoid.com
- Behind AWS Global Accelerator
- Port 22 reachable but no banner extracted
- No HTTP probe data captured
Egress / origin-IP discovery for CDN-fronted hosts
book.corezoid.com→ CloudFront (4 IPs in3.174.230.0/24)doc.simulator.company,cdn-sim-dev.simulator.company,cdn-sim-pre.simulator.company,cdn-mw.simulator.company→ all CloudFront- No origin IP discovered via naive DNS (SAN harvest didn't reveal origin); a more thorough discovery would need historical DNS + Shodan's CloudFlare-behind dataset (not attempted)
What's NOT tested per RoE
- No VPN brute-forcing (fingerprint-only per RoE)
- No SSH credential probing
- No JIRA exploitation (version disclosure is sufficient evidence for the finding)
- No regreSSHion PoC (destabilizing, would crash sshd processes)
- No Ehcache RMI probing (filtered anyway)
Summary of edge findings
| Host | Severity | Issue |
|---|---|---|
jira.corezoid.com |
🔴 Critical | Jira 7.12.3 EOL — multiple RCE CVEs |
corezoid-ma.dev.corezoid.com:22 |
🟠 High | OpenSSH 8.7 public + vulnerable to regreSSHion |
track.pre.corezoid.com |
🟠 High | EKS API public (Phase 2 finding) |
vpn.corezoid.com |
⚪ Info | OpenVPN-AS version not fully fingerprinted |
admin-pre.corezoid.com |
🔵 Low | RFC1918 IPs leaked via public DNS |