OpenBMC 2.8 security audit results
Joseph Reynolds
jrey at linux.ibm.com
Tue Jun 23 00:08:52 AEST 2020
On 6/22/20 4:30 AM, Alexander Tereschenko wrote:
> On 20-Jun-20 03:26, Joseph Reynolds wrote:
>> Here are the results from my "security audit" on the planned OpenBMC
>> 2.8 release. The results are not intended as a complete analysis,
>> but only offer highlights into the BMC's security configuration.
>> Contributions are appreciated.
>> The script to perform these tests was presented here:
>> https://lists.ozlabs.org/pipermail/openbmc/2020-April/021186.html and
>> was followed more-or-less.
>>
>> $ echo "Checking test host openssl version"
>> Checking test host openssl version
>> $ openssl version
>> OpenSSL 1.0.2k-fips 26 Jan 2017
>>
> I'm not sure I get this one - is "test host" a BMC or the one where
> the test script is being run? If the former, this is really old, no
> longer publicly supported by the OpenSSL team and has multiple CVEs
> against it [1], so should be upgraded.
>
> [1] https://www.openssl.org/news/openssl-1.0.2-notes.html
Alexander, thanks for your reply. The "test host" is a Linux system
used to probe the BMC via network interfaces such as SSH, HTTPS, and
REST APIs. To reflect actual customer use, I used a test host that has
an older operating system. I've included the test host's software
versions to help answer questions about the results below, when the host
version factors into the results. [I'll update my preamble with this
information.]
>
>
>> debug1: Remote protocol version 2.0, remote software version
>> dropbear_2019.78
>
> There's a very recent 2020.79, which has one CVE fix and some useful
> changes (e.g. using getrandom(), AES-GCM and so on), would be good to
> update it for the next release.
Agreed. Yocto will pull in the new dropbear release, and it will
downstream to OpenBMC. We may want to update our dropbear/options.patch
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-core/dropbear/dropbear/options.patch
>
>
>> observation: The BMC SSH server offers the algorithms shown above.
>> Should we remove HMAC-SHA1?
>
> While it's not [yet] formally broken in the HMAC setting, IMO SHA1 is
> "broken enough" to remove it everywhere, so yes, I'd vote for that.
>
>
>>
>> When logged into the BMC via SSH as testuser:
>> testuser$ ls -la /home/root
>> drwxr-xr-x 2 root root 384 Jun 18 00:00 .
>> drwxr-xr-x 5 root root 368 Jun 20 00:23 ..
>> -rw------- 1 root root 12437 Jun 20 00:24 .bash_history
>> -rw-r----- 1 root root 459 Jun 19 20:19
>> bmcweb_persistent_data.json
>>
>> observation: Non-root user can list files in /home/root; that seems
>> undesireable. The files themselves are not readable.
>
> Agree, it doesn't seem necessary, so should be restricted
>
>
>> /etc/ssl/certs:
>> drwx------ 2 root root 160 Jun 10 06:22 authority
>> drwx------ 2 root root 304 Jun 10 06:23 https
>>
>> observation: Certificates under /etc/ssl are protected from reading
>
> This actually seems to be surplus - *certificates* are public by
> definition, it's the private parts of them (private keys corresponding
> to public ones in certificates) that need protection like that.
Thanks for the clarification. I've heard a private certificate is
improperly being stored along with its public cert in there somewhere,
but I don't really know.
>
>
> regards,
> Alexander
>
More information about the openbmc
mailing list