1# Network Security Considerations 2 3This describes network services provided by OpenBMC-based systems, some threats 4the BMC faces from its network interfaces, and steps OpenBMC takes to address 5these threats. 6 7This is only intended to be a guide; security is ultimately the responsibility 8of projects which choose to incorporate OpenBMC into their project. If you find 9a security vulnerability, please consider [how to report a security vulnerability][]. 10 11[how to report a security vulnerability]: 12 https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md 13 14Threats to the BMC are classified using the [CIA triad][]. All threat types are significant; 15here is an example of each: 16 17- Confidentiality: If an attacker can get data from the BMC, they may be able to 18 chain other vulnerabilities to establish a covert information channel to get 19 sensitive information from the host. 20- Integrity: If an attacker can modify BMC settings or data, they may be able to 21 gain additional access, and launch more attacks. 22- Availability: If an agent can overwhelm the BMC's resources, either by 23 accident or on purpose, the BMC will not be available to service its host 24 (denial of service). 25 26[cia triad]: https://en.wikipedia.org/wiki/Information_security#Key_concepts 27 28This document is organized by how OpenBMC services connect to the network. The 29general flow is: 30 31- The BMC is presumed to have a network adapter. The security considerations of 32 the NIC are important to the BMC security, but are outside the scope of this 33 document. 34- Network traffic then flows through the kernel, detailed below. 35- Finally, connections flow to various OpenBMC services. 36 37OpenBMC provides services on TCP and UDP ports. For example, the HTTPS protocol 38on port 443 is used to provide REST APIs and serve Web applications. These 39services are detailed below. Implicit is that all other ports are inactive. 40 41OpenBMC also initiates network communications, for example, NTP, LDAP, etc. 42These are covered with their associated functions. 43 44## Kernel and ICMP messages 45 46Network traffic is handled by the Linux kernel. The exact kernel and device 47driver have security considerations which are important to BMC security, but are 48better addressed by the Linux kernel community. You can learn which kernel and 49patches are used from the kernel recipes typically found in the board support 50packages for the BMC referenced by your machine's configuration. For example, in 51the `https://github.com/openbmc/meta-aspeed` repository under 52`recipes-kernel/linux/linux-aspeed_git.bb`. 53 54Per [CVE 1999-0524][], responding to certain ICMP packets can give an attacker more 55information about the BMC's clock or subnet, which can help with subsequent attacks. 56OpenBMC responds to all ICMP requests. 57 58[cve 1999-0524]: https://nvd.nist.gov/vuln/detail/CVE-1999-0524 59 60General considerations for ICMP messages apply. For example, packet 61fragmentation and packet flooding vulnerabilities. 62 63It is sometimes useful to filter and log network messages for debug and other 64diagnostic purposes. OpenBMC provides no support for this. 65 66## General considerations for services 67 68Several services perform user identification and authentication: 69 70- Phosphor REST APIs 71- Redfish REST API SessionService 72- Network IPMI 73- SSH secure shell 74 75OpenBMC's [phosphor-user-manager][] provides the underlying authentication and 76authorization functions and ties into IPMI, Linux PAM, LDAP, and logging. Some 77of OpenBMC services use phosphor-user-manager. 78 79[phosphor-user-manager]: 80 https://github.com/openbmc/docs/blob/master/architecture/user-management.md 81 82Transport layer security (TLS) protocols are configured for each service at 83compile time, become part of the image, and cannot be changed dynamically. The 84protocols which use TLS include: 85 86- RAKP for IPMI. 87- SSH for ssh and scp. 88- HTTPS for Web and REST APIs. 89 90Automated network agents (such as hardware management consoles) may malfunction 91in a way that the BMC continuously gets authentication failures, which may lead 92to denial of service. For example, a brief delay before reporting the failure, 93for example, of one second, may help prevent this problem or lessen its 94severity. See [OWASP Blocking Brute Force Attacks][]. 95 96[owasp blocking brute force attacks]: 97 https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks 98 99Network agents may fail to end a session properly, which causes the service to 100use resources to keep track of orphaned sessions. To help prevent this, services 101may limit the maximum number of concurrent sessions, or have a session 102inactivity timeout. 103 104Services which are not required should be disabled to limit the BMC's attack 105surface. For example, a large scale data center may not need a Web interface. 106Services can be disabled in several ways: 107 1081. Configure OpenBMC recipes to build the unwanted feature out of the BMC's 109 firmware image. This gives the BMC the advantage of a smaller attack 110 surface. 1112. Implement something like the [Redfish ManagerNetworkProtocol][] properties for 112 IPMI, SSH, and other BMC services, possibly by using shell commands like 'systemctl 113 disable ipmid' and 'systemctl stop ipmid'. 114 115[redfish managernetworkprotocol]: 116 https://redfish.dmtf.org/schemas/ManagerNetworkProtocol.v1_4_0.json 117 118Network services should log all authentication attempts with their outcomes to 119satisfy basic monitoring and forensic analysis requirements. For example, as 120part of a real-time monitoring service, or to answer who accessed which services 121at what times. 122 123OpenBMC does not have a firewall. 124 125Laws may require products built on OpenBMC to have reasonable security built 126into them, for example, by not having a default password. See, for example, [CA 127Law SB-327]. 128 129[ca law sb-327]: 130 https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327 131 132## Services provided on TCP and UDP ports 133 134### TCP port 22 - Secure Shell (SSH) access to the BMC 135 136The Secure Shell (SSH) protocol is provided, including secure shell (ssh 137command) access to the BMC's shell, and secure copy (scp command) to the BMC's 138file system. 139 140The default SSH server implementation is provided by Dropbear. All configuration 141is at compile-time with defaults for: 142 143- Authentication provided by Linux PAM, where methods include username and 144 password, and SSH certificates (the `ssh-keygen` command). 145- Transport layer security (TLS) protocols offered. 146 147SSH access to the BMC's shell is not the intended way to operate the BMC, gives 148the operator more privilege than is needed, and may not be allowed on BMCs which 149service hosts that process sensitive data. However, BMC shell access may be 150needed to provision the BMC or to help diagnose problems during its operation. 151 152### TCP port 443 - HTTPS REST APIs and Web application 153 154BMCWeb is the Web server for: 155 156- The Redfish REST APIs. 157- The webui-vue Web interface. 158- The Phosphor D-Bus REST interface. And initiates WebSockets for: 159- Host KVM. 160- Virtual media. 161- Host serial console. 162 163The [BMCWeb configuration][] controls which services are provided. 164 165General security considerations for HTTP servers apply such as given by [OWASP 166Application Security][]. 167 168BMCWeb controls which HTTPS transport layer security (TLS) ciphers it offers via 169compile-time header file `include/ssl_key_handler.hpp` in the 170https://github.com/openbmc/bmcweb repository. The implementation is provided by 171OpenSSL. 172 173BMCWeb provides appropriate HTTP response headers, for example, in header file 174`include/security_headers_middleware.hpp` and `crow/include/crow/websocket.h` in 175the https://github.com/openbmc/bmcweb repository. 176 177[bmcweb configuration]: https://github.com/openbmc/bmcweb#configuration 178[owasp application security]: 179 https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project 180 181#### REST APIs 182 183BMCWeb offers three authentication methods: 184 1851. The Redfish SessionService, which takes a username and password and provides 186 an X-Auth token. 1872. The Phosphor D-Bus REST interface '/login' URI, which takes a username and 188 password and provides a session cookie. This method is deprecated in 189 OpenBMC. 1903. Basic Access Authentication, which takes a username and password (often URL 191 encoded like https://user:pass@host/...) in an "Authorization" request 192 header, and returns no credentials. This method is deprecated by RFC 3986. 193 194The username and password are presented to phosphor-user-manager for 195authentication. 196 197The first two methods create the same kind of session but return different 198credentials. For example, you can create a Redfish session, and use your 199credentials to invoke Phosphor D-Bus REST APIs. Note, however, that the X-Auth 200tokens are required to use POST, PUT, PATCH, or DELETE methods. 201 202General security considerations for REST APIs apply: 203https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/REST_Security_Cheat_Sheet.md 204 205Redfish provides security considerations in the "Security Detail" section of the 206"Redfish Specification" (document ID DSP0266) available from 207https://www.dmtf.org/standards/redfish. 208 209#### The webui-vue Web application 210 211General considerations for Web applications such as given by [OWASP 212Web Application Security Guidance][] apply to OpenBMC. The webui-vue uses 213username and password-based authentication, and REST APIs for subsequent access. 214 215[owasp web application security guidance]: 216 https://www.owasp.org/index.php/Web_Application_Security_Guidance 217 218The web app also provides interfaces to use the host serial console, virtual 219media, and host KVM. 220 221### TCP port 2200 222 223Access to the BMC's [host serial console][] is provided via the SSH protocol on 224port 2200. 225 226[host serial console]: https://github.com/openbmc/docs/blob/master/console.md 227 228This uses the same server implementation as port 22, including the same TLS 229mechanisms. 230 231How the host secures its console (for example, username and password prompts) is 232outside the scope of this document. 233 234### TCP and UDP ports 5355 - mDNS service discovery 235 236General security considerations for service discovery apply. For example, 237described here: https://attack.mitre.org/techniques/T1046/ 238 239### UDP port 427 - SLP, Avahi 240 241General security considerations for service discovery apply. 242 243### UDP port 623 - IPMI RCMP 244 245The IPMI network-facing design is described here: 246https://github.com/openbmc/docs/blob/master/architecture/ipmi-architecture.md 247and the implementation is described here: 248https://github.com/openbmc/phosphor-net-ipmid. Note that host IPMI is outside 249the scope of this document. 250 251General security considerations for IPMI apply. For example, described here: 252https://www.us-cert.gov/ncas/alerts/TA13-207A 253 254OpenBMC implements RCMP+ and IPMI 2.0. The phosphor-user-manager provides the 255underlying authentication mechanism. 256 257Supported IPMI ciphers can be found in the code, for example, by searching for 258function `isAlgorithmSupported`, or from the `ipmitool` command such as 259`ipmitool channel getciphers ipmi`. 260 261OpenBMC supports IPMI "serial over LAN" (SOL) connections (via 262`impitool sol activate`) which shares the host serial console socket. 263