Update on Unimus codebase and release security
Most of our readers (Hello!) will be familiar with the SolarWinds saga. In December 2020, SolarWinds announced that it's Orion software was exploited in a supply-chain attack. This FireEye article has a nice write-up of the original attack, called SUNBURST. Since then, at least 2 other malicious payloads were found present in Orion - first SUPERNOVA was discovered, and later on Raindrop and Teardrop were also discovered hiding inside the Orion executables.
Many network were affected, and I'm sure this resulted in a significant ammount of work for many of you reading this article. CISA at one point recommended all systems accessed by Orion in government agencies be rebuilt from scratch (latest CISA guidelines can be found here).
Security in infrastructure management tools is extremely important. We take incidents like these very seriously, and want to do everything we can to make sure something like this doesn't happen to Unimus. As such, we wanted to publish an article on what we have been doing in the past months to make sure our systems and Unimus itself are safe, and what we plan to do going forward to.
Our (NetCore j.s.a.) systems are separated into 3 different groups:
- Unimus instances customers run in their network (we have no access to these)
- Our websites, Portal and Licensing Server (our public resources)
- Our internal environments, tools, servers, workstations, etc. (our internal resources)
Let's start with Unimus:
We have audited our codebase and our build process, and we can happily report that we have found no issues and no signs of tampering nor malicious activity on any systems involved in the Unimus development or build process.
We do however see areas for improvements:
- Some of the dependencies / libraries we use are not the latest available versions. This includes our backend and frontend frameworks. To fix this, we are updating all dependencies / libraries to the latest versions. This is actually a large amount of work, since both frontend and backend frameworks have new major LTS releases available. The dev team has been working since December migrating to these new LTS versions.
- We can improve a lot in the code-signing area. Unimus is built from 12 different modules. We will implement code-signing on the module-level, and validate module signage when the final Unimus binary is built out of the individual modules.
- We will be introducing a Bug Bounty / Security Bounty program for Unimus. More on this to come soon.
In general, we see the security of the Unimus codebase and the build process as good, with areas for improvement that we are now working on. We are giving this priority, so all of the above mentioned improvements will be coming sooner rather than later.
Websites, Portal and Licensing Server:
We have audited all the servers running our public services, as well as the Portal and the Licensing Server codebases and build processes. We can also happily report that we have found no issues and no signs of tampering nor malicious activity on any of our public systems.
Since the Portal holds customer data (your billing info), we want to make sure all your data with us is properly protected (we don't hold any payment data on our Portal directly). We however see the same areas for improvement for our Portal and Licensing server as for Unimus. As such, the dev team has also been migrating both these services to the latest LTS versions of all dependencies / libraries / frameworks. We will also be implementing the same per-module code-signing and validation processes for our Portal and Licensing Server as we discussed for Unimus.
In keeping with full transparency, we also recently published a post on our forums explaining what data our Licensing Server collects from local Unimus instances. You can find the post here.
Finally, we will also launch a Bug Bounty / Security Bounty program for the Portal. More details on this will be released soon, together with the same program for Unimus itself.
Our internal environments, servers, workstations, etc:
We have also reviewed our internal systems and assured that there is no outside access (other than our offices and our VPNs) to these systems. We have found no issues and no signs of external access or tampering with our internal systems.
We are also continuing to educate our staff on security best-practices, and we heavily value and encourage a security-minded culture in our company. The internal culture and mindset of our company in regards to security is very important to us, and we will increase investment in internal and external security trainings to make sure all our developers and staff stay mindful of security best-practices going foward.
To summarize:
- We audited the Unimus codebase and build process and found no security issues
- We audited all our public servers and services and found no security issues
- We plan to introduce more code-signing and integrity checks into the Unimus build process
- We are updating all dependencies / libraries to the latest versions across all our software / services
- We plan to start a Bug Bounty / Security Bounty program
We are happy to answer any security-related questions you might have; and we would also love to hear if you have any feedback or suggestions on what you think we should do better. Please feel free to post any feedback in this forum topic. Thanks!