Architectural Fragility: The "Magician’s Trick" and Security Gaps in Exegy Managed Services
Feel free to email me at editor@exegy.today.
Executive Summary
A comprehensive technical audit of Exegy’s Managed Services infrastructure has uncovered a series of systemic security failures governing how remote appliances are provisioned and maintained. The architecture—originally designed around a "closed box" philosophy where the company operates like a "magician who likes not revealing how a trick is performed"—has resulted in massive technical debt. By prioritizing the obfuscation of internal processes over industry-standard security controls, the environment now suffers from unauthenticated proxy access, a lack of credential revocation, and a total absence of connection monitoring.
The Burden of Institutional Knowledge
The responsibility for managing these critical servers was transitioned to the team only after the departure of a former colleague. Because the design is highly non-standard and the security architecture remains entirely undocumented, I was the only person remaining who understood the internal mechanics of these systems.
Despite the critical nature of this infrastructure, Exegy performs no active auditing—that I am aware of—to ensure that all connections originating from remote sites are valid. It is also important to note that while third-party vendors are strictly prohibited from accessing these appliances (and are not supposed to have access at all), the current internal architecture lacks the technical enforcement to truly guarantee that boundary.
Technical Analysis: Legacy Constraints and Port 4004
The original architecture was built on a rigid requirement to utilize only a single port (4004) for all remote communication. This was driven by a corporate reluctance to coordinate with customer IT departments to open additional ports.
While a recent move to a load-balancing platform finally allowed for the integration of ITRS, Puppet, and Squid without saturating the OpenVPN tunnel (which historically bottlenecks at 125-250 KB/s), the underlying security logic remains dangerously permissive.
1. The Revocation Vacuum (OpenVPN)
The remote fleet utilizes a file-based easy-rsa setup for OpenVPN authentication.
The "No-Kill-Switch" Window: There is no implemented Certificate Revocation List (CRL). When a system is decommissioned or a key is exfiltrated, the credential remains valid indefinitely. There is no automated "kill switch" to invalidate credentials across the fleet.
Git-Based Exposure: Root certificates and private keys are stored in a Git repository accessible to a broad user base. A GitLab job exists to automate the signing of new keys, meaning any user with repository access can mint valid credentials.
Unsuccessful Remediation Attempts: I personally initiated communications with the company—specifically the ITS and security groups—to advocate for the installation of a dedicated Key Management System (KMS). These efforts were rebuffed due to a refusal to allocate budget. In an effort to leverage existing internal security controls, I formally proposed an integration with the Microsoft Certificate System; however, the proposal was rejected by leadership.
2. The Unauthenticated Squid Proxy
Maintenance feed routers utilize Squid to allow remote appliances to pull RPMs and reports from JFrog Artifactory.
Zero Authentication: The proxy is not configured for user-based passwords or cryptographic keys.
Lateral Exposure: Operations scripts utilize this proxy as a fail-over to communicate with internal servers for pushing configurator scripts (files detailing system architecture).
The Threat: Because the proxy is unauthenticated and lacks path-based restrictions, any actor on a customer network can reach back into Exegy’s network, exfiltrating data from Artifactory or interacting with internal configuration servers. Despite bringing this to the attention of previous management, no action was taken.
Regulatory Non-Compliance: CISA and SEC Reg SCI
These architectural choices are in direct conflict with federal security mandates and NIST guidelines required for high-frequency trading (HFT) and financial infrastructure:
SEC Regulation SCI (Systems Compliance and Integrity)
Entities subject to Regulation SCI must ensure their systems have "adequate levels of security."
- Rule 1001(a): Mandates policies to prevent systems intrusions. The inability to revoke keys and the unauthenticated proxy access to internal configuration files represents a failure of system integrity that could lead to a major SCI event.
CISA Zero Trust Maturity Model (ZTMM)
Under CISA guidelines, organizations must move toward a Zero Trust architecture.
Identity Pillar: Requires automated revocation of access. Exegy’s lack of a CRL for OpenVPN fails this core requirement.
Visibility and Analytics: CISA mandates continuous monitoring for anomalous traffic. The lack of connection monitoring on VPN and proxy feeds represents a total failure of visibility.
NIST SP 800-57 (Recommendation for Key Management)
NIST standards require that every PKI implementation includes a documented, functional revocation mechanism. The current "easy-rsa" deployment, lacking a CRL or OCSP, fails to meet federal cryptographic standards. NIST specifically dictates that a compromise recovery plan must include the immediate revocation of compromised keys.
Required Remediation Roadmap
To move away from the "Magician" philosophy and toward a defensible security posture, the following steps are mandatory:
Implement mTLS for Squid: Synchronize proxy authentication with the VPN credentialing system.
Centralized KMS Deployment: Abandon Git-based certificate storage for a dedicated KMS with automated CRL distribution.
Active Telemetry: Deploy real-time monitoring on Port 4004 and all egress points to flag connections from decommissioned IDs.
Egress Filtering: Restrict the Squid proxy to a strict whitelist of Artifactory repositories.
Possibly Coming Soon: Part 2: Provisioning Failures and Microkernel Exploitation — How a bad actor on a customer site can leverage Puppet Razor to compromise system integrity.
