Current security state of the agent
Opened this issue · 3 comments
Hello,
I'm starting to get a bit concerned about the MeshCentral agent - the last update was over a year ago.
- Does the agent not use any dependencies that have to be updated regularly to ensure that the included safety patches get applied?
- Is anyone actively maintaining the agent right now?
- Is it still safe to use the MeshCentral Agent (not talking about the server here) for production?
As far as I can see, @krayon007 was the only one who really worked on the agent itself.
I assume that he also doesn't work at Intel anymore. A bit of information on the current state of this project would be greatly appreciated:
There are commits: https://github.com/Ylianst/MeshAgent/commits/master
@mwllgr Can you help with time, code or money?
Ylianst/MeshCentral#5540
Thanks for linking the donation/support thread and referencing the latest commits, @marclaporte. However, my focus for this thread was mainly on security, as this is the client part of the MeshCentral software suite, I think it is crucial to know whether it is secure to use with the current code base and used library versions etc.
As my knowledge of C (and JS in this case) is pretty limited, I'd appreciate some more feedback on that, especially regarding my questions - by someone who's able to at least tell which libraries/versions are used or similar. I think this would be extremely relevant for people that just use MeshCentral (and that's the vast majority).
I did a quick check and I found something:
The last OpenSSL update: 9d38b7e
There have been some releases in that branch since: https://www.openssl.org/news/openssl-1.1.1-notes.html
But OpenSSL branch 1.1.1 is EoL anyways, so a major update would make sense.
https://www.openssl.org/policies/releasestrat.html
Now, does this mean there is an exploitable issue? This is not trivial to answer.
Is there any way you can help?
Thanks!