MeshCentral - IOActive Security Review, CloudFlare, OpenSSL

Work on MeshCentral is continuing at a quick pace and we have a set of security related topics to cover. Earlier this year, the security company IOActive was contracted to perform a security review of MeshCentral. This is important in order to have an independent assessment of issues and where security could be improved. We also added and tested CloudFlare support which is a widely internet service for securing and optimizing the performance of web site. This will help administrator improve their site’s security. Lastly, we updated all MeshCentral agents with the latest OpenSSL security library. In details:

  • IOActive security review. IOActive is a security company that employs researchers that have found many security issues in the past. They have been contracted to perform a security review of MeshCentral. This is important since you want to have independent experts looking at the architecture and code and criticizing it from as many angles as possible. Of course, security is an ongoing process and since MeshCentral is constantly evolving, one must always be vigilant. The review occurred on source code in GitHub between June 15th and July 17th 2020 and IOActive provided the community with a letter indicating the security tasks that where performed. Many issues have been fixes as IOActive reported them and we will have a full report later, likely early next year. As a reminder, if anyone in the community has any security concerns or finds issues, I have a published PGP key that can be used to send encrypted messages.
  • CloudFlare support. CloudFlare is a widely use “proxy-in-the-cloud” service that provides additional security, analytics, caching and performance optimizations to Internet hosted web sites. Often, MeshCentral instances are installed on servers that are behind CloudFlare proxies and so, it’s important that MeshCentral fully supports this configuration. This week, we tested for the first time a MeshCentral instance behind CloudFlare proxies, insured that CloudFlare HTTP headers where processed correctly. We added a new MeshCentral feature that allows the IP address list of trusted CloudFlare proxies to be downloaded by the MeshCentral server on each server start. This makes it very easy to run a MeshCentral instance behind CloudFlare with the more secure settings since extra HTTP headers will only be processed from IP addresses in the trusted list.
  • Latest OpenSSL in all MeshAgents. The MeshAgent makes use of OpenSSL for its TLS encryption and many of its security operations. This week, a new version of OpenSSL 1.1.1i was published to fix security issues and within 10 hours of the publication. All agents (Windows, Linux, macOS, BSD) has been recompiled using the new version of OpenSSL and a new version of MeshCentral was published. When the server is updated, all MeshAgents will also be updated making it easy for administrators to keep up with security fixes.

In addition to all these features, many more fixes and improvements have been made including new version of the agent on all platforms. As usual, feedback is appreciated. If you see any problems and need support on something, please create a new issue on GitHub or help other users.

Enjoy,
Ylian
Twitter: https://twitter.com/meshcentral
Reddit: https://www.reddit.com/r/MeshCentral/
GitHub: https://github.com/Ylianst/MeshCentral/issues
MeshCentral2: http://www.meshcommander.com/meshcentral2



Popular posts from this blog

Starting work at Microsoft

Image
Hi everyone. It’s been a while since the last blog post and I wanted up update everyone on what is going on. As many of you know already from a discussion on GitHub , Bryan and I have been laid-off from Intel in early November 2022. This was quite a surprise as MeshCentral, MeshCommander, MeshCMD and other tools where widely used. This said, Intel has been having poor financials and Bryan and I where part of a very large first wave of downsizing by the company that involved many people that I know and worked with for a long time. I had been working for Intel for over 25 years having started in September 1998. Over the years I worked on IPsec key negotiation, Universal Plug & Play, DLNA and Intel® AMT. I loved working on all these projects and especially loved working with the open-source community on Mesh projects. Obviously, this was not my decision and Bryan and I had look for what comes next. One option was to continue working on MeshCentral as part of another company or with
Read more

MeshCentral - Windows ARM64, NodeJS v11, NPM Packages

Image
Hi all. It's been a while since I last posted and now that I am settling a bit more in my work at Microsoft, I have a bit of time to occasionally look after MeshCentral again. It's about time, there where a bunch of things that needed to get fixed. Before that, I want to say that I am doing great. I am working on Microsoft Forms which is one of the offerings of Microsoft 365. For kicks, I started a YouTube channel on Microsoft Forms here during a Microsoft hacking week. I tried to up my game since the videos I last published for MeshCentral. Also, I wanted to share pictures below. I was at a Tesla Supercharger last weekend and, by luck, got to see a Tesla Cybertruck in person. It's very big. Obviously, this is a release candidate driven by a Tesla employee. I saw it after attempting to see the solar eclipse over Oregon, but sadly, too many clouds and saw nothing. In any case, back to MeshCentral. In the last few months a few things have happened with the new releases. Wind
Read more

MeshCentral - New Windows Agents - Installation Dialog, Customization and Server Lock

Image
Lots is going on with MeshCentral, just yesterday Bryan Roe released a new MeshAgent for Windows with many improvements. An improved installation dialog box, logo customization and, to continue MeshCentral’s leadership in security, a new agent code signing locking feature that will surely be used by many to improve trust and security of their MeshCentral installation. In addition to this, we have many more server improvements to cover. In detail: MeshAgent with improved installation dialog box . The new MeshAgent for Windows is much improved with months of changes and bug fixes. The most noticeable feature is by far the new installation dialog with the new logo and connection details button. The new installer is a lot friendlier and easier on end-users. MeshAgent with improved customizations . In addition to all the existing agent customizations available in prior versions, the MeshAgent has new server settings for the installation text and logo. You can now set your own 200x200 PNG c
Read more