1# Network Security Considerations 2 3This describes network services provided by OpenBMC-based systems, some threats 4the BMC faces from its network interfaces, and steps OpenBMC takes to address 5these threats. 6 7This is only intended to be a guide; security is ultimately the responsibility 8of projects which choose to incorporate OpenBMC into their project. If you find 9a security vulnerability, please consider [how to report a security 10vulnerability][]. 11 12[how to report a security vulnerability]: 13 https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md 14 15Threats to the BMC are classified using the [CIA triad][]. All threat types are 16significant; here is an example of each: 17 18- Confidentiality: If an attacker can get data from the BMC, they may be able to 19 chain other vulnerabilities to establish a covert information channel to get 20 sensitive information from the host. 21- Integrity: If an attacker can modify BMC settings or data, they may be able to 22 gain additional access, and launch more attacks. 23- Availability: If an agent can overwhelm the BMC's resources, either by 24 accident or on purpose, the BMC will not be available to service its host 25 (denial of service). 26 27[cia triad]: https://en.wikipedia.org/wiki/Information_security#Key_concepts 28 29This document is organized by how OpenBMC services connect to the network. The 30general flow is: 31 32- The BMC is presumed to have a network adapter. The security considerations of 33 the NIC are important to the BMC security, but are outside the scope of this 34 document. 35- Network traffic then flows through the kernel, detailed below. 36- Finally, connections flow to various OpenBMC services. 37 38OpenBMC provides services on TCP and UDP ports. For example, the HTTPS protocol 39on port 443 is used to provide REST APIs and serve Web applications. These 40services are detailed below. Implicit is that all other ports are inactive. 41 42OpenBMC also initiates network communications, for example, NTP, LDAP, etc. 43These are covered with their associated functions. 44 45## Kernel and ICMP messages 46 47Network traffic is handled by the Linux kernel. The exact kernel and device 48driver have security considerations which are important to BMC security, but are 49better addressed by the Linux kernel community. You can learn which kernel and 50patches are used from the kernel recipes typically found in the board support 51packages for the BMC referenced by your machine's configuration. For example, in 52the `https://github.com/openbmc/meta-aspeed` repository under 53`recipes-kernel/linux/linux-aspeed_git.bb`. 54 55Per [CVE 1999-0524][], responding to certain ICMP packets can give an attacker 56more information about the BMC's clock or subnet, which can help with subsequent 57attacks. OpenBMC responds to all ICMP requests. 58 59[cve 1999-0524]: https://nvd.nist.gov/vuln/detail/CVE-1999-0524 60 61General considerations for ICMP messages apply. For example, packet 62fragmentation and packet flooding vulnerabilities. 63 64It is sometimes useful to filter and log network messages for debug and other 65diagnostic purposes. OpenBMC provides no support for this. 66 67## General considerations for services 68 69Several services perform user identification and authentication: 70 71- Phosphor REST APIs 72- Redfish REST API SessionService 73- Network IPMI 74- SSH secure shell 75 76OpenBMC's [phosphor-user-manager][] provides the underlying authentication and 77authorization functions and ties into IPMI, Linux PAM, LDAP, and logging. Some 78of OpenBMC services use phosphor-user-manager. 79 80[phosphor-user-manager]: 81 https://github.com/openbmc/docs/blob/master/architecture/user-management.md 82 83Transport layer security (TLS) protocols are configured for each service at 84compile time, become part of the image, and cannot be changed dynamically. The 85protocols which use TLS include: 86 87- RAKP for IPMI. 88- SSH for ssh and scp. 89- HTTPS for Web and REST APIs. 90 91Automated network agents (such as hardware management consoles) may malfunction 92in a way that the BMC continuously gets authentication failures, which may lead 93to denial of service. For example, a brief delay before reporting the failure, 94for example, of one second, may help prevent this problem or lessen its 95severity. See [OWASP Blocking Brute Force Attacks][]. 96 97[owasp blocking brute force attacks]: 98 https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks 99 100Network agents may fail to end a session properly, which causes the service to 101use resources to keep track of orphaned sessions. To help prevent this, services 102may limit the maximum number of concurrent sessions, or have a session 103inactivity timeout. 104 105Services which are not required should be disabled to limit the BMC's attack 106surface. For example, a large scale data center may not need a Web interface. 107Services can be disabled in several ways: 108 1091. Configure OpenBMC recipes to build the unwanted feature out of the BMC's 110 firmware image. This gives the BMC the advantage of a smaller attack 111 surface. 1122. Implement something like the [Redfish ManagerNetworkProtocol][] properties 113 for IPMI, SSH, and other BMC services, possibly by using shell commands like 114 'systemctl disable ipmid' and 'systemctl stop ipmid'. 115 116[redfish managernetworkprotocol]: 117 https://redfish.dmtf.org/schemas/ManagerNetworkProtocol.v1_4_0.json 118 119Network services should log all authentication attempts with their outcomes to 120satisfy basic monitoring and forensic analysis requirements. For example, as 121part of a real-time monitoring service, or to answer who accessed which services 122at what times. 123 124OpenBMC does not have a firewall. 125 126Laws may require products built on OpenBMC to have reasonable security built 127into them, for example, by not having a default password. See, for example, [CA 128Law SB-327]. 129 130[ca law sb-327]: 131 https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327 132 133## Services provided on TCP and UDP ports 134 135### TCP port 22 - Secure Shell (SSH) access to the BMC 136 137The Secure Shell (SSH) protocol is provided, including secure shell (ssh 138command) access to the BMC's shell, and secure copy (scp command) to the BMC's 139file system. 140 141The default SSH server implementation is provided by Dropbear. All configuration 142is at compile-time with defaults for: 143 144- Authentication provided by Linux PAM, where methods include username and 145 password, and SSH certificates (the `ssh-keygen` command). 146- Transport layer security (TLS) protocols offered. 147 148SSH access to the BMC's shell is not the intended way to operate the BMC, gives 149the operator more privilege than is needed, and may not be allowed on BMCs which 150service hosts that process sensitive data. However, BMC shell access may be 151needed to provision the BMC or to help diagnose problems during its operation. 152 153### TCP port 443 - HTTPS REST APIs and Web application 154 155BMCWeb is the Web server for: 156 157- The Redfish REST APIs. 158- The webui-vue Web interface. 159- The Phosphor D-Bus REST interface. And initiates WebSockets for: 160- Host KVM. 161- Virtual media. 162- Host serial console. 163 164The [BMCWeb configuration][] controls which services are provided. 165 166General security considerations for HTTP servers apply such as given by [OWASP 167Application Security][]. 168 169BMCWeb controls which HTTPS transport layer security (TLS) ciphers it offers via 170compile-time header file `include/ssl_key_handler.hpp` in the 171https://github.com/openbmc/bmcweb repository. The implementation is provided by 172OpenSSL. 173 174BMCWeb provides appropriate HTTP response headers, for example, in header file 175`include/security_headers_middleware.hpp` and `crow/include/crow/websocket.h` in 176the https://github.com/openbmc/bmcweb repository. 177 178[bmcweb configuration]: https://github.com/openbmc/bmcweb#configuration 179[owasp application security]: 180 https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project 181 182#### REST APIs 183 184BMCWeb offers three authentication methods: 185 1861. The Redfish SessionService, which takes a username and password and provides 187 an X-Auth token. 1882. The Phosphor D-Bus REST interface '/login' URI, which takes a username and 189 password and provides a session cookie. This method is deprecated in 190 OpenBMC. 1913. Basic Access Authentication, which takes a username and password (often URL 192 encoded like https://user:pass@host/...) in an "Authorization" request 193 header, and returns no credentials. This method is deprecated by RFC 3986. 194 195The username and password are presented to phosphor-user-manager for 196authentication. 197 198The first two methods create the same kind of session but return different 199credentials. For example, you can create a Redfish session, and use your 200credentials to invoke Phosphor D-Bus REST APIs. Note, however, that the X-Auth 201tokens are required to use POST, PUT, PATCH, or DELETE methods. 202 203General security considerations for REST APIs apply: 204https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/REST_Security_Cheat_Sheet.md 205 206Redfish provides security considerations in the "Security Detail" section of the 207"Redfish Specification" (document ID DSP0266) available from 208https://www.dmtf.org/standards/redfish. 209 210#### The webui-vue Web application 211 212General considerations for Web applications such as given by [OWASP Web 213Application Security Guidance][] apply to OpenBMC. The webui-vue uses username 214and password-based authentication, and REST APIs for subsequent access. 215 216[owasp web application security guidance]: 217 https://www.owasp.org/index.php/Web_Application_Security_Guidance 218 219The web app also provides interfaces to use the host serial console, virtual 220media, and host KVM. 221 222### TCP port 2200 223 224Access to the BMC's [host serial console][] is provided via the SSH protocol on 225port 2200. 226 227[host serial console]: https://github.com/openbmc/docs/blob/master/console.md 228 229This uses the same server implementation as port 22, including the same TLS 230mechanisms. 231 232How the host secures its console (for example, username and password prompts) is 233outside the scope of this document. 234 235### TCP and UDP ports 5355 - mDNS service discovery 236 237General security considerations for service discovery apply. For example, 238described here: https://attack.mitre.org/techniques/T1046/ 239 240### UDP port 427 - SLP, Avahi 241 242General security considerations for service discovery apply. 243 244### UDP port 623 - IPMI RCMP 245 246The IPMI network-facing design is described here: 247https://github.com/openbmc/docs/blob/master/architecture/ipmi-architecture.md 248and the implementation is described here: 249https://github.com/openbmc/phosphor-net-ipmid. Note that host IPMI is outside 250the scope of this document. 251 252General security considerations for IPMI apply. For example, described here: 253https://www.us-cert.gov/ncas/alerts/TA13-207A 254 255OpenBMC implements RCMP+ and IPMI 2.0. The phosphor-user-manager provides the 256underlying authentication mechanism. 257 258Supported IPMI ciphers can be found in the code, for example, by searching for 259function `isAlgorithmSupported`, or from the `ipmitool` command such as 260`ipmitool channel getciphers ipmi`. 261 262OpenBMC supports IPMI "serial over LAN" (SOL) connections (via 263`impitool sol activate`) which shares the host serial console socket. 264