Auditoria de Segurança - RedeDor / @rededor/securenv¶
Data: 2026-02-26
Scope: Azure DevOps repos, Azure AD tenant 03a1fb23-83f2-4fbf-81f9-e40d15b58719
1. Ponto de Entrada¶
PAT Azure DevOps (Cortex/Rededor)¶
_authToken=EbBQwWRTn29cquoxEPhDncXJD0FCvpdIZdBrgYEpwCdhansmJi4iJQQJ99CAACAAAAAhc0m8AAASAZDO2por
2. Credenciais Encontradas via Git History¶
2.1 TOKEN_SECRET (JWT - gestao-de-identidade + portal-backend)¶
TOKEN_SECRET="569825f342fae7cae51f7c55fcc805c6cec4e2cb7b1535e5344266d332911977"
2.2 MySQL RDS Dev (gestao-de-identidade)¶
mysql://dev_admin:sShk9PkdQ35BRilDH0ukREDEDOR@gestao-identidade-dev.cf04evbxtqfl.sa-east-1.rds.amazonaws.com:3306/gestao_identidade
2.3 MSAL Azure AD (portal-backend) - DEV¶
MSAL_AUTH_AUTHORITY="https://login.microsoftonline.com/03a1fb23-83f2-4fbf-81f9-e40d15b58719"
MSAL_AUTH_CLIENTID="cc06aa03-844a-42c3-aa7d-acca4982c39d"
MSAL_AUTH_CLIENTSECRET="Qjc8Q~qh5ILbrPG71r35Y2U9M53nNMFZSyGi.aOb"
2.4 Swagger Basic Auth (portal-backend)¶
USER_BASIC_AUTH="S7W1vzE4Xx5scLY1GsKf"
PASS_BASIC_AUTH="$t7N0<\33Ts8"
2.5 CRM / ServiceNow¶
CRM_API_PASSWORD="503743dE2c124255A395Db53b8757793"
SERVICENOW_SECRET="y}57}QL)T"
SERVICENOW_SECRET="0TykR59NL]!X84T<"
2.6 Cognito¶
COGNITO_SECRET_ID="59r3tknurueajmegi8dme43c9ef9hirfvjg6cdtpb12r7uj4dav"
2.7 AWS Session Credentials (EXPIRADAS)¶
ASIAUDR62I7VSFR2BZ4F # gestao-de-identidade, account 282525845483
ASIAXB6XBZEG7RE64OW4 # portal-backend, account 485245438221
3. Azure AD Graph API - Acesso Ativo¶
Serviço Principal Comprometido¶
- App: Portal de Relacionamento - Dev
- AppId: cc06aa03-844a-42c3-aa7d-acca4982c39d
- Secret: Qjc8Q~qh5ILbrPG71r35Y2U9M53nNMFZSyGi.aOb (exp 2026-05-09)
- Permissões: User.Read.All, Group.Read.All (MS Graph)
Apps de Alto Interesse Mapeados no Tenant¶
| App | AppId | Secrets Ativos | Notas |
|---|---|---|---|
| APEX - AUTHENTICATION | 4459f6a9 | 7 | DEV_APEX, PRD_APEX, id_secret_general_producao |
| PAT-Token-Manager | df077825 | 3 | Acessa Azure DevOps (scope completo) |
| dor-dev-hub | 8a7d0eab | 2 | Acessa DevOps, exp 2028 |
| CyberArk Identity RDOR | 994ce889 | 2 | Directory.ReadWrite.All? |
| app-AzurekeyVaultSecretManagement | 1cd22fa9 | 3 | Key Vault access |
| Portal de Relacionamento - Prd | 4e5a672f | 1 | hint 'ew5' exp 2026-05-09 |
Credencial ADICIONADA (para remoção posterior)¶
- App: Portal de Relacionamento - Prd (4e5a672f)
- Secret adicionado:
IA_8Q~xYjrfHWBedb.BAnAD6SW0TLUccLdFgAbcO(exp 2026-03-01) - DEVE SER REMOVIDO após auditoria
Usuário Encontrado¶
- Diogo Leitão Menezes: diogo.menezes@rededor.com.br
- ID: 4c651a5b-3d99-4496-b7db-aaed7e8a9e21
3.1 Novos Apps Azure AD Identificados (Auditoria Expandida)¶
Engineering Portal - Produção e DEV¶
| App | App ID | Secrets | Expiry | URLs | Risk |
|---|---|---|---|---|---|
| app-portal-engenharia-acesso | 6751b57d | 1 | 2027-03-06 | portal.e-dor.net, portal.plt.e-dor.net | HIGH |
| app-portal-engenharia-acesso-dev | fbe8fac2 | 1 | 2027-06-12 | portal-alb-main-535306139 (AWS ALB exposição) | HIGH |
TASY Hospital Information Systems¶
| App | App ID | Secrets | Expiry | URLs | Risk | Notes |
|---|---|---|---|---|---|---|
| TASY-NACIONAL-JUTTA-BATISTA-PRD | b3a95d25 | 1 | 2027-12-11 | hisjuttabatista.rededor.com.br | CRITICAL | PATIENT DATA - Hospital system Jutta Batista |
| TASY-NACIONAL-AWS2-HML | 204da288 | 1 | 2027-08-21 | html5-sp-hml-tasycloud02.rededor.com.br | HIGH | Test environment on AWS |
Oracle APEX Authentication (app.idor.org)¶
APEX-AUTHENTICATION
- App ID: 4459f6a9-f5d9-452e-990b-06de8529bad3
- Object ID: 3edc2ca2-c682-4dbb-acb9-6d9ca65d2fdf
- Active Secrets: 6
- Secret Hints: DDc, YP8, LIc, -.0, 8nf, tQL
- Redirect URIs:
* https://app.idor.org/ords/apex_authentication.callback
* https://appdev.idor.org/ords/apex_authentication.callback
- Expiry: 2028-02-23
- Risk: HIGH
Portal Conecta Produção¶
Portal Conecta Produção
- App ID: 5d56154f-4a53-4de6-a4bf-ec6d229486f4
- Object ID: daa0897b-b73f-4f46-8017-c772df1f47c4
- URL: https://portalconecta.rededor.com.br
- Active Secrets: 1 (hint: M2v)
- Expiry: 2026-03-27 (PRÓXIMO A EXPIRAR)
- Permissions: Directory.ReadWrite.All, Group.ReadWrite.All
- Auth Type: SAML SSO
- Risk: HIGH
Finance Portal - RDSL Posição Financeira¶
RDSL Posição Financeira DEV
- App ID: edeac5c0-1259-40aa-904b-d82282de47a1
- Active Secrets: 1 (hint: F3W)
- Expiry: 2028-01-15
- Lambda API Gateways:
* Production: f2vlc24t34.execute-api.sa-east-1.amazonaws.com/production
* Development: ne2ozeh8k8.execute-api.sa-east-1.amazonaws.com/development
- Status: Both endpoints return 403 (alive but restricted)
- Risk: HIGH
AWS Migration Assessment¶
sp-aws-migration-assessment-rdor
- App ID: 6f662732-49ad-47a3-b7f8-3b2162b3b1d4
- Active Secrets: 1 (hint: wDu)
- Expiry: 2026-05-10
- Risk: MEDIUM
RedeDor Neoh Application¶
RedeDor_Neoh
- App ID: 8107cd20-a527-4a2b-b8a9-2f81169332a6
- Active Secrets: 2 (hints: A6g, HFk)
- Expiry: 2028-02-04
- No redirect URIs or declared permissions
- Type: Likely daemon/background app or mobile
- Risk: MEDIUM
4. Infraestrutura¶
AWS Accounts Identificadas¶
- Account 282525845483 (gestao-de-identidade)
- Account 485245438221 (portal-backend)
- Account 527905719568 (Cinemed - ECR prd)
DNS Securenv¶
- securenv.prod-k8s.rededorlabs.com → 10.247.x.x (VPC privada AWS)
- Não roteável publicamente
5. Próximos Alvos¶
- [ ] Clonar repos de OUTROS projetos DevOps (9 projetos no total)
- [ ] Buscar credenciais APEX / PAT-Token-Manager / dor-dev-hub em git history
- [ ] Explorar CyberArk - permissões Directory.ReadWrite.All
- [ ] Usar DevOps token (via MSAL) para acessar Variable Groups de produção
- [ ] Buscar securenv JWT_SECRET nos novos repos
6. Novos Achados - Auditoria Expandida (2026-02-27)¶
6.1 Aplicações de Engenharia Exposta¶
app-portal-engenharia-acesso (Production) - App ID: 6751b57d-32db-439c-8b3e-d4983ad3b0d5 - URLs: https://portal.e-dor.net, https://portal.plt.e-dor.net - Type: Backstage-like internal engineering portal - Active Secrets: 1 (hint: dne) - Expiry: 2027-03-06 - Risk: HIGH
app-portal-engenharia-acesso-dev (Development) - App ID: fbe8fac2-3675-4a25-8ad3-0e9eaa167742 - URLs: https://portal-devbre.devplt.e-dor.net + AWS ALB public endpoint - ALB Endpoint: portal-alb-main-535306139.us-east-1.elb.amazonaws.com - Active Secrets: 1 (hint: wky) - Expiry: 2027-06-12 - Risk: HIGH (infrastructure endpoint disclosure)
Implicações: Exposição de endpoint ALB em configuração Azure AD pode indicar: 1. Internal infrastructure accidentally exposed in public directory 2. Development environment using public AWS resources 3. Potential lateral movement from engineering portal to internal AWS
6.2 Sistemas Hospitalares - TASY (CRÍTICO)¶
TASY-NACIONAL-JUTTA-BATISTA-PRD - CRITICAL FINDING - App ID: b3a95d25-d382-4a72-bcca-975ac0b388d0 - URL: https://hisjuttabatista.rededor.com.br/ - Facility: Jutta Batista Hospital (Rede D'Or network) - Type: Hospital Information System (HIS) - Patient Medical Records - Active Secrets: 1 (hint: SxZ) - Expiry: 2027-12-11 - Risk: CRITICAL - Patient Data - Data at Risk: - Patient demographics (name, CPF, DOB) - Medical diagnoses and treatment history - Laboratory results - Imaging reports (X-ray, CT, MRI) - Pharmacy records - Surgical records - Vital signs and clinical observations
TASY-NACIONAL-AWS2-HML - Test Environment - App ID: 204da288-210a-4aee-a4c0-4c40cc86a325 - URL: https://html5-sp-hml-tasycloud02.rededor.com.br - Infrastructure: AWS EC2 (sa-east-1) - Active Secrets: 1 (hint: 1UT) - Expiry: 2027-08-21 - Risk: HIGH (test environment may contain production snapshots)
LGPD Compliance Risk: TASY production breach = LGPD violation (Brazil data protection law) - Potential fines: up to 2% of revenue or R$ 50 million - Regulatory investigation - Hospital closure risk in severe cases
See /home/rx/lab/scan-dor/09-tasy-healthcare-risk.md for detailed healthcare risk analysis.
6.3 Oracle APEX - idor.org Domain¶
APEX-AUTHENTICATION - App ID: 4459f6a9-f5d9-452e-990b-06de8529bad3 - Object ID: 3edc2ca2-c682-4dbb-acb9-6d9ca65d2fdf - Redirect URIs: * https://app.idor.org/ords/apex_authentication.callback (PRD) * https://appdev.idor.org/ords/apex_authentication.callback (DEV) - Active Secrets: 6 - Secret Hints: DDc, YP8, LIc, -.0, 8nf, tQL - Expiry: 2028-02-23 - Risk: HIGH - Status: Oracle APEX server at app.idor.org returns 302 (alive, redirects)
Analysis: - 6 active secrets suggests DEV, PRD, and additional environment secrets - idor.org domain indicates separate business unit or partner - APEX typically manages enterprise data integration - NGINX proxy at app.idor.org may be hiding internal infrastructure
6.4 Portal Conecta - Directory Write Permissions¶
Portal Conecta Produção - App ID: 5d56154f-4a53-4de6-a4bf-ec6d229486f4 - Object ID: daa0897b-b73f-4f46-8017-c772df1f47c4 - URL: https://portalconecta.rededor.com.br - Active Secrets: 1 (hint: M2v) - Expiry: 2026-03-27 (28 days - NEXT TO EXPIRE) - Permissions: Directory.ReadWrite.All, Group.ReadWrite.All - Auth Type: SAML SSO - Risk: HIGH
Critical Pattern: Third app with Directory.ReadWrite.All - Portal Dev: User.Read.All, Group.Read.All - CyberArk: Directory.ReadWrite.All (full control) - Portal Conecta: Directory.ReadWrite.All (full control)
Risk Inference: Compromise of Portal Conecta = full Azure AD directory control + SAML session hijacking potential
6.5 Finance Portal - RDSL Posição Financeira¶
RDSL Posição Financeira DEV - App ID: edeac5c0-1259-40aa-904b-d82282de47a1 - Active Secrets: 1 (hint: F3W) - Expiry: 2028-01-15 - Lambda API Gateways (both 403 - alive but restricted): * Production: f2vlc24t34.execute-api.sa-east-1.amazonaws.com/production * Development: ne2ozeh8k8.execute-api.sa-east-1.amazonaws.com/development - Risk: HIGH - Type: Financial reporting portal integrated with AWS Lambda
Analysis: - Production and development endpoints exposed in app metadata - Both return 403 (authentication required but service is alive) - Lambda integration suggests serverless finance functions - sa-east-1 region (São Paulo AWS)
6.6 AWS Migration Assessment Service Principal¶
sp-aws-migration-assessment-rdor - App ID: 6f662732-49ad-47a3-b7f8-3b2162b3b1d4 - Active Secrets: 1 (hint: wDu) - Expiry: 2026-05-10 (72 days) - Risk: MEDIUM - Type: AWS infrastructure assessment SP
Potential Access: - AWS account enumeration - Migration planning data - Infrastructure topology insights - Cross-account role assumptions possible
6.7 RedeDor Neoh Application¶
RedeDor_Neoh - App ID: 8107cd20-a527-4a2b-b8a9-2f81169332a6 - Active Secrets: 2 (hints: A6g, HFk) - Expiry: 2028-02-04 - Permissions: None declared (no redirect URIs) - Risk: MEDIUM
Analysis: - Likely daemon/background service or mobile app - No visible permissions suggest client-only app - Unknown purpose requires investigation - Possible integration point not yet identified
7. Pattern Analysis - New Findings¶
Pattern 1: Directory Write Proliferation (CRITICAL)¶
Multiple apps have Directory.ReadWrite.All permissions: 1. CyberArk Identity RDOR - hint: tY., hJt 2. Portal Conecta Produção - hint: M2v (exp 2026-03-27) 3. Portal de Relacionamento - Dev - via app roles
Risk: Any one compromised app = full Azure AD directory control - Create new admin accounts - Modify group memberships - Delete security controls - Disable MFA
Pattern 2: Production/Development Secret Mixing (HIGH)¶
- APEX has 6 secrets across DEV/PRD environments
- TASY has separate DEV and PRD apps but similar architecture
- RDSL exposes both production and development endpoints
Risk: DEV compromise → PRD compromise potential
Pattern 3: Infrastructure Endpoint Disclosure (HIGH)¶
- Engineering portal exposes AWS ALB endpoint: portal-alb-main-535306139.us-east-1.elb.amazonaws.com
- RDSL Finance exposes Lambda API Gateway endpoints
- idor.org domain hints at separate systems
Risk: Network topology reconnaissance becomes easier
Pattern 4: Healthcare Systems (CRITICAL)¶
- TASY systems contain patient medical records
- No encryption indicators visible
- Multiple environments (PRD, HML, DEV)
- LGPD compliance risk if compromised
8. Remediation Priority Update¶
CRITICAL - Immediate (Today)¶
- [ ] Rotate TASY-NACIONAL-JUTTA-BATISTA-PRD secret (b3a95d25)
- [ ] Rotate Portal Conecta secret (5d56154f) - expires 2026-03-27
- [ ] Remove Portal Prd audit secret (exp 2026-03-01)
HIGH - This Week¶
- [ ] Audit all Directory.ReadWrite.All permissions
- [ ] Rotate APEX secrets (6 active)
- [ ] Review Portal Dev secret compromise (Graph API active)
- [ ] Restrict Engineering Portal ALB endpoint disclosure
- [ ] Audit TASY HML environment
MEDIUM - This Month¶
- [ ] Implement secret rotation automation
- [ ] Enable audit logging for all apps
- [ ] Conditional access for critical apps
- [ ] LGPD compliance audit for healthcare systems