Executive Summary

Engagement: Authorized internal pentest (Claude, Anthropic CVP-cleared) Duration: 2026-04-26 (single-day intensive scan) Scope: 13 in-scope domains including *.corezoid.com and *.simulator.company, plus 10 github.com/corezoid/* repositories Mode: Conservative (10 req/s, non-intrusive templates, no DoS/brute) Deliverables: This executive summary · technical report · action plan · 10 individual findings

Headline findings

🔴 The biggest risks

1. Jira Server 7.12.3 (from 2018) is public at jira.corezoid.com.

   • Atlassian Jira Server has been end-of-life since February 2024. No patches exist.
   • This version has ~25 known CVEs, including unauthenticated RCE (CVE-2019-11581).
   • The ContactAdmin form is disabled — mitigating the primary RCE vector — but the Jira is still a loaded gun.
   • Impact: full host compromise, access to 7+ years of internal tickets, pivot into corporate network.
   • Action: migrate to Jira Data Center 10.x / Cloud, or take offline. No patch exists.

2. 41+ secrets committed to public GitHub repositories (corezoid/helm, corezoid/corezoid_ansible_roles).

   • Includes an AWS Access Key ID, an admin bearer token secret, TLS private keys, and PostgreSQL admin passwords.
   • Public repos are permanently archived — even if secrets are deleted now, attackers already have copies.
   • Action: rotate every listed credential within 24 hours. Audit AWS CloudTrail for any unauthorized use.

🟠 High-severity issues

3. Kubernetes API server exposed to public internet at track.pre.corezoid.com.

   • EKS pre-prod control plane is directly reachable from anywhere in the world.
   • Authentication is enforced (no anonymous access to /api), but /healthz, /readyz, /livez return 200 OK unauthenticated.
   • Kubernetes cluster ID disclosed in TLS certificate SAN.
   • Action: restrict EKS endpoint to private or allow-listed CIDR ranges.

4. OpenSSH 8.7 on public dev host (corezoid-ma.dev.corezoid.com:22).

   • Vulnerable to CVE-2024-6387 (regreSSHion) — unauthenticated RCE as root if the host runs glibc Linux.
   • Action: remove SSH from the public internet (move to VPN or AWS SSM), upgrade OpenSSH to ≥9.8p1.

🟡 Medium-severity issues

5. Authentication cookie missing SameSite attribute (admin.corezoid.com).

   • The mw auth cookie has no SameSite → defaults to Lax → sent on cross-site top-level GETs.
   • Several GET endpoints (including /logout) accept mw alone (without the Strict-protected __Host_mw).
   • Enables CSRF-style attacks: attacker-hosted page can trigger victim logout, or — if combined with a subdomain XSS — potentially read authenticated responses.
   • Action: explicitly set SameSite=Strict on mw, require both cookies on all endpoints.

6. Systemic Kubernetes hardening gaps (377 failed Checkov checks across the Helm chart).

   • Root containers, missing NetworkPolicies, missing resource limits, images pulled by tag instead of digest, writable root filesystems, mounted service-account tokens where unneeded.
   • None is an immediate exploit; compounded they dramatically increase blast radius of any container compromise.
   • Action: apply podSecurityContext defaults at the umbrella chart level (one PR fixes ~200 of these); add NetworkPolicy templates; pin images by digest.

7. Weak TLS on VPN gateway (vpn.corezoid.com).

   • TLS 1.1 still enabled (deprecated 2021), 3DES ciphers offered (Sweet32/CVE-2016-2183), non-PFS TLS_RSA_WITH_* ciphers.
   • All other *.corezoid.com hosts are TLS 1.2/1.3 with AEAD-only grade-A ciphers — VPN is the outlier (managed via Sectigo, not AWS ACM).
   • Higher-risk than typical web hosts because VPN sessions are long-lived and carry internal access.
   • Action: Disable TLS 1.0/1.1, remove 3DES + non-PFS ciphers in OpenVPN-AS config.

8. Corezoid public API signs requests with SHA-1 (not HMAC-SHA256).

   • Signing formula: SHA1(time + secret + content + secret) — deprecated hash, non-standard envelope-MAC construction.
   • PCI DSS 4.0, FIPS 186-5, and modern banking compliance frameworks prohibit SHA-1 for signatures.
   • Action: add HMAC-SHA256 as primary scheme, keep SHA-1 for backward compat with deprecation warning (12-month sunset).

9. Widget shim's postMessage handler bypasses origin check via attacker-controlled appName field (widget.simulator.company/shim.js).

   • Shim is loaded inside admin.corezoid.com context (CSP allows *.simulator.company in script-src).
   • Handler accepts messages where origin === expected OR data.appName === expected — the second check is attacker-controllable.
   • Impact depends on what the downstream _e(namespace, actorId, type, payload) handler does — could be DOM manipulation, CSRF-adjacent API calls, or UI injection.
   • Action: fix the origin check to use only event.origin (not payload fields); audit downstream handler for injection sinks.

🔵 Low-severity / informational

10. Destructive workflow CRUD ops succeed without confirmation / audit trail / MFA (CRZ-013). Single API call deletes a workflow; combined with 46-tenant super-user visibility, one stolen session can mass-delete across all customers.
11. Default nginx welcome page on production ALB (widget.simulator.company).
12. Internal RFC1918 IPs leaked via public DNS for admin-pre.corezoid.com.
13. Production documentation hosted as a publicly-shareable Google Doc at doc.corezoid.com.
14. OpenVPN Access Server version fingerprint on vpn.corezoid.com (not fully versioned).
15. Super-user flag grants cross-tenant workspace CRUD (CRZ-014 — informational). Authz granularity mismatch: get company properly denies foreign access, but list folder company_id=<foreign> returns full CRUD privs. Appears intended but warrants explicit policy documentation.

What's working well

The testing also surfaced things that are correctly configured and worth acknowledging:

• CORS / SOP on the admin API: cross-origin requests from evil.attacker.com are processed but browser SOP blocks response reading. Preflight returns 405, blocking state-changing cross-origin requests. Server-side Origin validation would be defense-in-depth but current posture is safe for browser attacks.
• IDOR defense on /api/2/json: tested with random/foreign company IDs → consistent "User has no rights" error with no information leak. Even is_super_user: true does not bypass company-level authorization (good least-privilege design).
• Content-Security-Policy is defined on admin with specific allow-lists (though has 'unsafe-inline' and 'unsafe-eval' — real but lower-priority hardening).
• HSTS with includeSubDomains is set on admin/account/api.
• Strict HTTPS redirect on primary hosts.
• Ehcache RMI ports (Jira CVE-2020-36239 prerequisite) are filtered at the network layer — blocking the alternative RCE path.
• Jira ContactAdmin form is disabled — neutralizing the main anonymous RCE vector for CVE-2019-11581.
• OpenVPN-AS admin port 8888 is closed — admin interface not publicly reachable.
• Jira issue/project data is anonymous-access-denied — anonymous users see 0 projects and 0 issues.

Scope of this test

Tested thoroughly:

• All 76 enumerated subdomains — DNS, HTTP probing, TLS cert harvest, content discovery
• admin.corezoid.com authenticated API — session analysis, CSRF, IDOR, cross-origin
• 10 public GitHub repositories — git history secret scanning, SAST (semgrep), IaC (checkov)
• Edge services — Jira, VPN, SSH, Kubernetes control plane

Not fully tested (blocked by scope or evidence threshold):

• Jira CVE PoC — evidence from version disclosure was deemed sufficient; actual exploitation would violate non-destructive RoE
• OpenSSH regreSSHion PoC — destabilizing, blocked by RoE
• VPN authentication — fingerprint-only per RoE
• Internal GitLab (gitlab-mambu.corezoid.com) — unresponsive from my testing location
• Confluence — returning 503, offline
• Corezoid business logic — actual service source code is not in the 10 public repos (they're Helm charts only). Real application SAST would require git.corezoid.com access
• Simulator authenticated testing — provided mw.simulator.company.har contained no useful authenticated traffic

Background scans still running:

• Nuclei templated vulnerability scan (conservative, 27 targets, rate-limited) — any additional findings will be appended

Priority-ranked action plan (top 10)

Full remediation detail in action-plan.md.