Mistral Code Enterprise

Problem

Private keys are used to protect sensitive information, digitally sign content, and to secure information transmission. Private keys are considered secrets, and as such should never be published. Depending on the type of a private key, its exposure can carry a varying degree of risk. Attackers abuse private keys to gain unauthorized server access, decrypt sensitive information, digitally sign content, or impersonate users whose private keys have been leaked.

Problem

Private keys are used to protect sensitive information, digitally sign content, and to secure information transmission. Private keys are considered secrets, and as such should never be published. Depending on the private key type its exposure can carry a varying degree of risk. While it is common for private keys to be found as standalone files, the detected ones have been found embedded within another software package component. This could indicate an attempt to hide private key presence. Attackers abuse private keys to gain unauthorized server access, decrypt sensitive information, digitally sign content, or impersonate users whose private keys have been leaked.

Problem

Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. One or more embedded URLs were discovered to link to raw files hosted on GitHub. Attackers often abuse popular web services to host malicious payloads. Since code-sharing services URLs are typically allowed by security solutions, using them for payload delivery increases the odds that the malicious code will reach the user. While the presence of code-sharing service locations does not imply malicious intent, all of their uses in a software package should be documented and approved. An increasing number of software supply chain attacks in the open source space leverages the GitHub service to deliver malicious payloads.

Problem

Applications communicate with web services by exchanging HTTP requests. During software development, externally hosted services are used by developers to debug software quality issues relating to exchanging HTTP requests. Attackers commonly abuse tools designed for HTTP request inspection to monitor network traffic and extract sensitive information from the HTTP traffic. While the presence of domains related to HTTP inspection does not imply malicious intent, all of their uses in a software package should be documented and approved. Attackers might have purposely injected security testing tools in the software package to monitor the network traffic of the infected computer system. It is also possible that the software package has mistakenly included a part of its testing infrastructure during packaging.

Problem

Security Development Lifecycle (SDL) is a group of enhanced compile-time checks that report common coding mistakes as errors, preventing them from reaching production. These checks minimize the number of security issues by enforcing strict memory access checks. They also prevent the use of hard-to-secure string and memory manipulation functions. To prove the binary has been compiled with these checks enabled, the compiler emits a special debug object. Removing the debug table eliminates this proof. Therefore, this check only applies to binaries that still have their debug tables.

Problem

Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as medium severity.

Problem

Various network communication protocols allow including plaintext authentication credentials. Information such as user names and passwords could be passed through a non-encrypted channel, and therefore intercepted by malicious actors. Credentials are considered secrets, and should be kept encrypted until they are used. This policy control matches the following URI pattern protocol://username:password@domain within any software package component.

Problem

Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. Top-level domains (TLD) are a part of the Domain Name System (DNS), and are used to lookup an Internet Protocol (IP) address of a requested website. There are a few different types of top-level domains. Generic, sponsored and country-code TLDs are generally accessible to the public. Registrars that govern the assignment of domain names within the TLD may choose to sell specific domain names to an interested party. However, some registrars are known to have less strict rules for assigning domain names. Attackers often abuse gaps in governance and actively seek to register their malicious domains in such TLDs. This issue is raised for all domains registered within TLDs that harbor an excessive number of malicious sites. While the presence of suspicious TLDs does not imply malicious intent, all of its uses in a software package should be documented and approved.

Problem

Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Open source communities depend on the work of thousands of software developers that volunteer their time to maintain software components. Software developers build up the reputation of their open source projects by developing in public. Modern source code repositories have many social features that allow software developers to handle bug reports, have discussions with their users, and convey reaching significant project milestones. It is uncommon to find open source projects that omit linking their component to a publicly accessible source code repository.

Problem

Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that dynamic calls are made only to vetted functions. Trusted execution paths rely on the ability of the operating system to build a list of valid function targets. Certain functions can intentionally be disallowed to prevent malicious code from deactivating vulnerability mitigation features. A list of such invalid function targets can include publicly exported symbols. Applications that enhance control flow integrity through export suppression rely on libraries to mark their publicly visible symbols as suppressed. This is done for all symbols that are considered to be sensitive functions, and to which access should be restricted. It is considered dangerous to mix applications that perform export suppression with libraries that do not.