Teleport 2.6 Audit Report is Available

Jun 1, 2018 by 

Russell Jones

Teleport will be three years old in just a few weeks. Since its public debut in June 2016, Teleport has been adopted as a PAM solution for SSH by numerous individuals and companies - from start-ups to large enterprises such as banks, semiconductor manufacturers, stock exchanges and government entities.

While we are happy with what we have achieved, three years is still a very young age for a privileged access management product central to cyber security. That is why we remain committed to regularly performing full security audits (as in "all source code") by industry-trusted third parties.

Today, we are announcing another full security audit performed by Cure53.

Who is Cure53?

Cure53 is a team of security researches based in Germany. We like working with them due to their reputation in auditing open source projects and the fact that they publish results publicly for the community to see.

You can see some of their reports published on their web site.

Audit Findings

The full text of the report (PDF) can be downloaded here The summary of the findings is:

  • No critical vulnerabilities have been discovered.
  • One high vulnerability was found: The roles API of the auth server allow directory traversal.
  • Two medium issues have been discovered.
  • Two "info" level issues have been discovered.
  • The latest 2.6.0 release already contains patches for these issues.

Quoting from the report:

Of the five discoveries made during this test, one is considered to be a security vulnerability issue, while the other four were classified as general weaknesses.

IMPORTANT: The discovered issues have been patched and patches were provided for 2.5.x and 2.4.x series (published as 2.5.8 and 2.4.8)

Conclusions

Quoting the "Conclusions" section of the report:

The results of this second-run Cure53 security assessment of the latest release of the Teleport software by Teleport Inc are once again very positive. With the first Cure53-Teleport collaboration already yielding good results, the fact that this time the findings are few and far between across the board is very much praiseworthy...

To read the entire section, download the full report.

Thanks to Cure53 for working with us again!

Teleport cybersecurity blog posts and tech news

Every other week we'll send a newsletter with the latest cybersecurity news and Teleport updates.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Contact us

For more information about Teleport, you can take a look at the documentation or the Github repo. It is open sourced, so feel free to dig in - issues and/or pull requests are welcome. Also, feel free to reach out via email if you have additional questions: [email protected].

Try Teleport today

In the cloud, self-hosted, or open source
Get StartedView developer docs