263 lines
11 KiB
Markdown
263 lines
11 KiB
Markdown
# Network Security Considerations
|
|
|
|
This describes network services provided by OpenBMC-based systems, some threats
|
|
the BMC faces from its network interfaces, and steps OpenBMC takes to address
|
|
these threats.
|
|
|
|
This is only intended to be a guide; security is ultimately the responsibility
|
|
of projects which choose to incorporate OpenBMC into their project. If you find
|
|
a security vulnerability, please consider [how to report a security vulnerability][].
|
|
|
|
[how to report a security vulnerability]:
|
|
https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md
|
|
|
|
Threats to the BMC are classified using the [CIA triad][]. All threat types are significant;
|
|
here is an example of each:
|
|
|
|
- Confidentiality: If an attacker can get data from the BMC, they may be able to
|
|
chain other vulnerabilities to establish a covert information channel to get
|
|
sensitive information from the host.
|
|
- Integrity: If an attacker can modify BMC settings or data, they may be able to
|
|
gain additional access, and launch more attacks.
|
|
- Availability: If an agent can overwhelm the BMC's resources, either by
|
|
accident or on purpose, the BMC will not be available to service its host
|
|
(denial of service).
|
|
|
|
[cia triad]: https://en.wikipedia.org/wiki/Information_security#Key_concepts
|
|
|
|
This document is organized by how OpenBMC services connect to the network. The
|
|
general flow is:
|
|
|
|
- The BMC is presumed to have a network adapter. The security considerations of
|
|
the NIC are important to the BMC security, but are outside the scope of this
|
|
document.
|
|
- Network traffic then flows through the kernel, detailed below.
|
|
- Finally, connections flow to various OpenBMC services.
|
|
|
|
OpenBMC provides services on TCP and UDP ports. For example, the HTTPS protocol
|
|
on port 443 is used to provide REST APIs and serve Web applications. These
|
|
services are detailed below. Implicit is that all other ports are inactive.
|
|
|
|
OpenBMC also initiates network communications, for example, NTP, LDAP, etc.
|
|
These are covered with their associated functions.
|
|
|
|
## Kernel and ICMP messages
|
|
|
|
Network traffic is handled by the Linux kernel. The exact kernel and device
|
|
driver have security considerations which are important to BMC security, but are
|
|
better addressed by the Linux kernel community. You can learn which kernel and
|
|
patches are used from the kernel recipes typically found in the board support
|
|
packages for the BMC referenced by your machine's configuration. For example, in
|
|
the `https://github.com/openbmc/meta-aspeed` repository under
|
|
`recipes-kernel/linux/linux-aspeed_git.bb`.
|
|
|
|
Per [CVE 1999-0524][], responding to certain ICMP packets can give an attacker more
|
|
information about the BMC's clock or subnet, which can help with subsequent attacks.
|
|
OpenBMC responds to all ICMP requests.
|
|
|
|
[cve 1999-0524]: https://nvd.nist.gov/vuln/detail/CVE-1999-0524
|
|
|
|
General considerations for ICMP messages apply. For example, packet
|
|
fragmentation and packet flooding vulnerabilities.
|
|
|
|
It is sometimes useful to filter and log network messages for debug and other
|
|
diagnostic purposes. OpenBMC provides no support for this.
|
|
|
|
## General considerations for services
|
|
|
|
Several services perform user identification and authentication:
|
|
|
|
- Phosphor REST APIs
|
|
- Redfish REST API SessionService
|
|
- Network IPMI
|
|
- SSH secure shell
|
|
|
|
OpenBMC's [phosphor-user-manager][] provides the underlying authentication and
|
|
authorization functions and ties into IPMI, Linux PAM, LDAP, and logging. Some
|
|
of OpenBMC services use phosphor-user-manager.
|
|
|
|
[phosphor-user-manager]:
|
|
https://github.com/openbmc/docs/blob/master/architecture/user-management.md
|
|
|
|
Transport layer security (TLS) protocols are configured for each service at
|
|
compile time, become part of the image, and cannot be changed dynamically. The
|
|
protocols which use TLS include:
|
|
|
|
- RAKP for IPMI.
|
|
- SSH for ssh and scp.
|
|
- HTTPS for Web and REST APIs.
|
|
|
|
Automated network agents (such as hardware management consoles) may malfunction
|
|
in a way that the BMC continuously gets authentication failures, which may lead
|
|
to denial of service. For example, a brief delay before reporting the failure,
|
|
for example, of one second, may help prevent this problem or lessen its
|
|
severity. See [OWASP Blocking Brute Force Attacks][].
|
|
|
|
[owasp blocking brute force attacks]:
|
|
https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
|
|
|
|
Network agents may fail to end a session properly, which causes the service to
|
|
use resources to keep track of orphaned sessions. To help prevent this, services
|
|
may limit the maximum number of concurrent sessions, or have a session
|
|
inactivity timeout.
|
|
|
|
Services which are not required should be disabled to limit the BMC's attack
|
|
surface. For example, a large scale data center may not need a Web interface.
|
|
Services can be disabled in several ways:
|
|
|
|
1. Configure OpenBMC recipes to build the unwanted feature out of the BMC's
|
|
firmware image. This gives the BMC the advantage of a smaller attack
|
|
surface.
|
|
2. Implement something like the [Redfish ManagerNetworkProtocol][] properties for
|
|
IPMI, SSH, and other BMC services, possibly by using shell commands like 'systemctl
|
|
disable ipmid' and 'systemctl stop ipmid'.
|
|
|
|
[redfish managernetworkprotocol]:
|
|
https://redfish.dmtf.org/schemas/ManagerNetworkProtocol.v1_4_0.json
|
|
|
|
Network services should log all authentication attempts with their outcomes to
|
|
satisfy basic monitoring and forensic analysis requirements. For example, as
|
|
part of a real-time monitoring service, or to answer who accessed which services
|
|
at what times.
|
|
|
|
OpenBMC does not have a firewall.
|
|
|
|
Laws may require products built on OpenBMC to have reasonable security built
|
|
into them, for example, by not having a default password. See, for example, [CA
|
|
Law SB-327].
|
|
|
|
[ca law sb-327]:
|
|
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
|
|
|
|
## Services provided on TCP and UDP ports
|
|
|
|
### TCP port 22 - Secure Shell (SSH) access to the BMC
|
|
|
|
The Secure Shell (SSH) protocol is provided, including secure shell (ssh
|
|
command) access to the BMC's shell, and secure copy (scp command) to the BMC's
|
|
file system.
|
|
|
|
The default SSH server implementation is provided by Dropbear. All configuration
|
|
is at compile-time with defaults for:
|
|
|
|
- Authentication provided by Linux PAM, where methods include username and
|
|
password, and SSH certificates (the `ssh-keygen` command).
|
|
- Transport layer security (TLS) protocols offered.
|
|
|
|
SSH access to the BMC's shell is not the intended way to operate the BMC, gives
|
|
the operator more privilege than is needed, and may not be allowed on BMCs which
|
|
service hosts that process sensitive data. However, BMC shell access may be
|
|
needed to provision the BMC or to help diagnose problems during its operation.
|
|
|
|
### TCP port 443 - HTTPS REST APIs and Web application
|
|
|
|
BMCWeb is the Web server for:
|
|
|
|
- The Redfish REST APIs.
|
|
- The webui-vue Web interface.
|
|
- The Phosphor D-Bus REST interface. And initiates WebSockets for:
|
|
- Host KVM.
|
|
- Virtual media.
|
|
- Host serial console.
|
|
|
|
The [BMCWeb configuration][] controls which services are provided.
|
|
|
|
General security considerations for HTTP servers apply such as given by [OWASP
|
|
Application Security][].
|
|
|
|
BMCWeb controls which HTTPS transport layer security (TLS) ciphers it offers via
|
|
compile-time header file `include/ssl_key_handler.hpp` in the
|
|
https://github.com/openbmc/bmcweb repository. The implementation is provided by
|
|
OpenSSL.
|
|
|
|
BMCWeb provides appropriate HTTP response headers, for example, in header file
|
|
`include/security_headers_middleware.hpp` and `crow/include/crow/websocket.h` in
|
|
the https://github.com/openbmc/bmcweb repository.
|
|
|
|
[bmcweb configuration]: https://github.com/openbmc/bmcweb#configuration
|
|
[owasp application security]:
|
|
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
|
|
|
|
#### REST APIs
|
|
|
|
BMCWeb offers three authentication methods:
|
|
|
|
1. The Redfish SessionService, which takes a username and password and provides
|
|
an X-Auth token.
|
|
2. The Phosphor D-Bus REST interface '/login' URI, which takes a username and
|
|
password and provides a session cookie. This method is deprecated in
|
|
OpenBMC.
|
|
3. Basic Access Authentication, which takes a username and password (often URL
|
|
encoded like https://user:pass@host/...) in an "Authorization" request
|
|
header, and returns no credentials. This method is deprecated by RFC 3986.
|
|
|
|
The username and password are presented to phosphor-user-manager for
|
|
authentication.
|
|
|
|
The first two methods create the same kind of session but return different
|
|
credentials. For example, you can create a Redfish session, and use your
|
|
credentials to invoke Phosphor D-Bus REST APIs. Note, however, that the X-Auth
|
|
tokens are required to use POST, PUT, PATCH, or DELETE methods.
|
|
|
|
General security considerations for REST APIs apply:
|
|
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/REST_Security_Cheat_Sheet.md
|
|
|
|
Redfish provides security considerations in the "Security Detail" section of the
|
|
"Redfish Specification" (document ID DSP0266) available from
|
|
https://www.dmtf.org/standards/redfish.
|
|
|
|
#### The webui-vue Web application
|
|
|
|
General considerations for Web applications such as given by [OWASP
|
|
Web Application Security Guidance][] apply to OpenBMC. The webui-vue uses
|
|
username and password-based authentication, and REST APIs for subsequent access.
|
|
|
|
[owasp web application security guidance]:
|
|
https://www.owasp.org/index.php/Web_Application_Security_Guidance
|
|
|
|
The web app also provides interfaces to use the host serial console, virtual
|
|
media, and host KVM.
|
|
|
|
### TCP port 2200
|
|
|
|
Access to the BMC's [host serial console][] is provided via the SSH protocol on
|
|
port 2200.
|
|
|
|
[host serial console]: https://github.com/openbmc/docs/blob/master/console.md
|
|
|
|
This uses the same server implementation as port 22, including the same TLS
|
|
mechanisms.
|
|
|
|
How the host secures its console (for example, username and password prompts) is
|
|
outside the scope of this document.
|
|
|
|
### TCP and UDP ports 5355 - mDNS service discovery
|
|
|
|
General security considerations for service discovery apply. For example,
|
|
described here: https://attack.mitre.org/techniques/T1046/
|
|
|
|
### UDP port 427 - SLP, Avahi
|
|
|
|
General security considerations for service discovery apply.
|
|
|
|
### UDP port 623 - IPMI RCMP
|
|
|
|
The IPMI network-facing design is described here:
|
|
https://github.com/openbmc/docs/blob/master/architecture/ipmi-architecture.md
|
|
and the implementation is described here:
|
|
https://github.com/openbmc/phosphor-net-ipmid. Note that host IPMI is outside
|
|
the scope of this document.
|
|
|
|
General security considerations for IPMI apply. For example, described here:
|
|
https://www.us-cert.gov/ncas/alerts/TA13-207A
|
|
|
|
OpenBMC implements RCMP+ and IPMI 2.0. The phosphor-user-manager provides the
|
|
underlying authentication mechanism.
|
|
|
|
Supported IPMI ciphers can be found in the code, for example, by searching for
|
|
function `isAlgorithmSupported`, or from the `ipmitool` command such as
|
|
`ipmitool channel getciphers ipmi`.
|
|
|
|
OpenBMC supports IPMI "serial over LAN" (SOL) connections (via
|
|
`impitool sol activate`) which shares the host serial console socket.
|