Redfish security question (user enumeration)
Joseph Reynolds
jrey at linux.ibm.com
Tue Feb 11 04:35:20 AEDT 2020
The Redfish spec recently changed to allow users with the Login
privilege to enumerate all BMC users. Previously only the admin user
could do this. I disagree with this change and believe it is an
unnecessary information exposure. Details are in the Redfish forum post.
https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
Are we okay with this? Do we ask Redfish to change it back? Please
reply to this email or to the forum with your thoughts.
Thanks,
- Joseph
References:
The change was made to Redfish version 2019.4 > DSP2046 >
Redfish-1.0.4-PrivilegeRegistry > ManagerAccountCollection > GET:
https://www.dmtf.org/standards/redfish
OpenBMC has the corresponding implementation change pending here:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28881
This was discussed in the 2020-02-05 OpenBMC security working group
meeting as agenda item 3. Minutes:
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
More information about the openbmc
mailing list