1# Network Security Considerations 2 3This describes network services provided by OpenBMC-based systems, 4some threats the BMC faces from its network interfaces, and steps 5OpenBMC takes to address these threats. 6 7This is only intended to be a guide; security is ultimately the 8responsibility of projects which choose to incorporate OpenBMC into 9their project. If you find a security vulnerability, please 10consider [how to report a security vulnerability][]. 11 12[how to report a security vulnerability]: https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md 13 14Threats to the BMC are classified using the [CIA triad][]. All threat 15types are significant; here is an example of each: 16 - Confidentiality: If an attacker can get data from the BMC, they may 17 be able to chain other vulnerabilities to establish a covert 18 information channel to get sensitive information from the host. 19 - Integrity: If an attacker can modify BMC settings or data, they may 20 be able to gain additional access, and launch more attacks. 21 - Availability: If an agent can overwhelm the BMC's resources, either 22 by accident or on purpose, the BMC will not be available to service 23 its host (denial of service). 24 25[CIA triad]: https://en.wikipedia.org/wiki/Information_security#Key_concepts 26 27This document is organized by how OpenBMC services connect to the 28network. The general flow is: 29 - The BMC is presumed to have a network adapter. The security 30 considerations of the NIC are important to the BMC security, but 31 are outside the scope of this document. 32 - Network traffic then flows through the kernel, detailed below. 33 - Finally, connections flow to various OpenBMC services. 34 35OpenBMC provides services on TCP and UDP ports. For example, the 36HTTPS protocol on port 443 is used to provide REST APIs and serve Web 37applications. These services are detailed below. Implicit is that 38all other ports are inactive. 39 40OpenBMC also initiates network communications, for example, NTP, LDAP, 41etc. These are covered with their associated functions. 42 43 44## Kernel and ICMP messages 45 46Network traffic is handled by the Linux kernel. The exact kernel and 47device driver have security considerations which are important to BMC 48security, but are better addressed by the Linux kernel community. 49You can learn which kernel and patches are used from the kernel 50recipes typically found in the board support packages for the BMC 51referenced by your machine's configuration. For example, in the 52`https://github.com/openbmc/meta-aspeed` repository under 53`recipes-kernel/linux/linux-aspeed_git.bb`. 54 55Per [CVE 1999-0524][], responding to certain ICMP packets can give an 56attacker more information about the BMC's clock or subnet, which can 57help with subsequent attacks. OpenBMC responds to all ICMP requests. 58 59[CVE 1999-0524]: https://nvd.nist.gov/vuln/detail/CVE-1999-0524 60 61General considerations for ICMP messages apply. For example, packet 62fragmentation and packet flooding vulnerabilities. 63 64It is sometimes useful to filter and log network messages for debug and 65other diagnostic purposes. OpenBMC provides no support for this. 66 67 68## General considerations for services 69 70Several services perform user identification and authentication: 71 - Phosphor REST APIs 72 - Redfish REST API SessionService 73 - Network IPMI 74 - SSH secure shell 75 76OpenBMC's [phosphor-user-manager][] provides the underlying 77authentication and authorization functions and ties into IPMI, Linux 78PAM, LDAP, and logging. Some of OpenBMC services use phosphor-user-manager. 79 80[phosphor-user-manager]: https://github.com/openbmc/docs/blob/master/architecture/user_management.md 81 82Transport layer security (TLS) protocols are configured for each 83service at compile time, become part of the image, and cannot be 84changed dynamically. The protocols which use TLS include: 85 - RAKP for IPMI. 86 - SSH for ssh and scp. 87 - HTTPS for Web and REST APIs. 88 89Automated network agents (such as hardware management consoles) may 90malfunction in a way that the BMC continuously gets authentication 91failures, which may lead to denial of service. For example, a brief 92delay before reporting the failure, for example, of one second, may 93help prevent this problem or lessen its severity. See [OWASP Blocking 94Brute Force Attacks][]. 95 96[OWASP Blocking Brute Force Attacks]: https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks 97 98Network agents may fail to end a session properly, which causes the 99service to use resources to keep track of orphaned sessions. To help 100prevent this, services may limit the maximum number of concurrent 101sessions, or have a session inactivity timeout. 102 103Services which are not required should be disabled to limit the BMC's 104attack surface. For example, a large scale data center may not need a 105Web interface. Services can be disabled in several ways: 106 1. Configure OpenBMC recipes to build the unwanted feature out of the 107 BMC's firmware image. This gives the BMC the advantage of a 108 smaller attack surface. 109 2. Implement something like the [Redfish ManagerNetworkProtocol][] 110 properties for IPMI, SSH, and other BMC services, possibly by 111 using shell commands like 'systemctl disable ipmid' and 'systemctl 112 stop ipmid'. 113 114[Redfish ManagerNetworkProtocol]: https://redfish.dmtf.org/schemas/ManagerNetworkProtocol.v1_4_0.json 115 116Network services should log all authentication attempts with their 117outcomes to satisfy basic monitoring and forensic analysis 118requirements. For example, as part of a real-time monitoring service, 119or to answer who accessed which services at what times. 120 121OpenBMC does not have a firewall. 122 123Laws may require products built on OpenBMC to have reasonable security 124built into them, for example, by not having a default password. See, 125for example, [CA Law SB-327]. 126 127[CA Law SB-327]: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327 128 129## Services provided on TCP and UPD ports 130 131### TCP port 22 - Secure Shell (SSH) access to the BMC 132 133The Secure Shell (SSH) protocol is provided, including secure shell 134(ssh command) access to the BMC's shell, and secure copy (scp command) 135to the BMC's file system. 136 137The default SSH server implementation is provided by Dropbear. 138All configuration is at compile-time with defaults for: 139 - Authentication provided by Linux PAM, where methods include 140 username and password, and SSH certificates (the `ssh-keygen` 141 command). 142 - Transport layer security (TLS) protocols offered. 143 144SSH access to the BMC's shell is not the intended way to operate the 145BMC, gives the operator more privilege than is needed, and may not be 146allowed on BMCs which service hosts that process sensitive data. 147However, BMC shell access may be needed to provision the BMC or to 148help diagnose problems during its operation. 149 150 151### TCP port 443 - HTTPS REST APIs and Web application 152 153BMCWeb is the Web server for: 154 - The Redfish REST APIs. 155 - The phosphor-webui Web interface. 156 - The Phosphor D-Bus REST interface. 157And initiates WebSockets for: 158 - Host KVM. 159 - Virtual media. 160 - Host serial console. 161 162The [BMCWeb configuration][] controls which services are provided. 163 164General security considerations for HTTP servers apply such as given 165by [OWASP Application Security][]. 166 167BMCWeb controls which HTTPS transport layer security (TLS) ciphers it 168offers via compile-time header file `include/ssl_key_handler.hpp` in 169the https://github.com/openbmc/bmcweb repository. The implementation 170is provided by OpenSSL. 171 172BMCWeb provides appropriate HTTP response headers, for example, in 173header file `include/security_headers_middleware.hpp` and 174`crow/include/crow/websocket.h` in the 175https://github.com/openbmc/bmcweb repository. 176 177[BMCWeb configuration]: https://github.com/openbmc/bmcweb#configuration 178[OWASP Application Security]: https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project 179 180#### REST APIs 181 182BMCWeb offers three authentication methods: 183 184 1. The Redfish SessionService, which takes a username and password 185 and provides an X-Auth token. 186 2. The Phosphor D-Bus REST interface '/login' URI, which takes a 187 username and password and provides a session cookie. This method 188 is deprecated in OpenBMC. 189 3. Basic Access Authentication, which takes a username and password 190 (often URL encoded like https://user:pass@host/...) in an 191 "Authorization" request header, and returns no credentials. This 192 method is deprecated by RFC 3986. 193 194The username and password are presented to phosphor-user-manager for 195authentication. 196 197The first two methods create the same kind of session but return 198different credentials. For example, you can create a Redfish session, 199and use your credentials to invoke Phosphor D-Bus REST APIs. Note, 200however, that the X-Auth tokens are required to use POST, PUT, PATCH, 201or DELETE methods. 202 203General security considerations for REST APIs apply: 204https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/REST_Security_Cheat_Sheet.md 205 206Redfish provides security considerations in the "Security Detail" 207section of the "Redfish Specification" (document ID DSP0266) available 208from https://www.dmtf.org/standards/redfish. 209 210#### The phosphor-webui Web application 211 212General considerations for Web applications such as given by [OWASP 213Web Application Security Guidance][] apply to OpenBMC. The 214phosphor-webui uses username and password-based authentication, and 215REST APIs for subsequent access. 216 217[OWASP Web Application Security Guidance]: https://www.owasp.org/index.php/Web_Application_Security_Guidance 218 219The web app also provides interfaces to use the host serial console, 220virtual media, and host KVM. 221 222### TCP port 2200 223 224Access to the BMC's [host serial console][] is provided via the SSH 225protocol on port 2200. 226 227[host serial console]: https://github.com/openbmc/docs/blob/master/console.md 228 229This uses the same server implementation as port 22, including the 230same TLS mechanisms. 231 232How the host secures its console (for example, username and password 233prompts) is outside the scope of this document. 234 235### TCP and UDP ports 5355 - mDNS service discovery 236 237General security considerations for service discovery apply. For 238example, described here: https://attack.mitre.org/techniques/T1046/ 239 240### UDP port 427 - SLP, Avahi 241 242General security considerations for service discovery apply. 243 244### UDP port 623 - IPMI RCMP 245 246The IPMI network-facing design is described here: 247https://github.com/openbmc/docs/blob/master/architecture/ipmi-architecture.md and 248the implementation is described here: 249https://github.com/openbmc/phosphor-net-ipmid. 250Note that host IPMI is outside the scope of this document. 251 252General security considerations for IPMI apply. For example, 253described here: https://www.us-cert.gov/ncas/alerts/TA13-207A 254 255OpenBMC implements RCMP+ and IPMI 2.0. The phosphor-user-manager 256provides the underlying authentication mechanism. 257 258Supported IPMI ciphers can be found in the code, for example, by 259searching for function `isAlgorithmSupported`, or from the `ipmitool` 260command such as `ipmitool channel getciphers ipmi`. 261 262OpenBMC supports IPMI "serial over LAN" (SOL) connections (via 263`impitool sol activate`) which shares the host serial console socket. 264