OpenBMC 2.8 security audit results
Alexander Tereschenko
aleksandr.v.tereschenko at linux.intel.com
Tue Jun 23 19:05:08 AEST 2020
On 22-Jun-20 16:08, Joseph Reynolds wrote:
> On 6/22/20 4:30 AM, Alexander Tereschenko wrote:
>> On 20-Jun-20 03:26, Joseph Reynolds wrote:
>>> Here are the results from my "security audit" on the planned OpenBMC
>>> 2.8 release. The results are not intended as a complete analysis,
>>> but only offer highlights into the BMC's security configuration.
>>> Contributions are appreciated.
>>> The script to perform these tests was presented here:
>>> https://lists.ozlabs.org/pipermail/openbmc/2020-April/021186.html
>>> and was followed more-or-less.
>>>
>>> $ echo "Checking test host openssl version"
>>> Checking test host openssl version
>>> $ openssl version
>>> OpenSSL 1.0.2k-fips 26 Jan 2017
>>>
>> I'm not sure I get this one - is "test host" a BMC or the one where
>> the test script is being run? If the former, this is really old, no
>> longer publicly supported by the OpenSSL team and has multiple CVEs
>> against it [1], so should be upgraded.
>>
>> [1] https://www.openssl.org/news/openssl-1.0.2-notes.html
>
> Alexander, thanks for your reply. The "test host" is a Linux system
> used to probe the BMC via network interfaces such as SSH, HTTPS, and
> REST APIs. To reflect actual customer use, I used a test host that
> has an older operating system. I've included the test host's software
> versions to help answer questions about the results below, when the
> host version factors into the results. [I'll update my preamble with
> this information.]
Got it, in this case that comment is not important, the text host may
have whatever versions :)
>>> /etc/ssl/certs:
>>> drwx------ 2 root root 160 Jun 10 06:22 authority
>>> drwx------ 2 root root 304 Jun 10 06:23 https
>>>
>>> observation: Certificates under /etc/ssl are protected from reading
>>
>> This actually seems to be surplus - *certificates* are public by
>> definition, it's the private parts of them (private keys
>> corresponding to public ones in certificates) that need protection
>> like that.
>
> Thanks for the clarification. I've heard a private certificate is
> improperly being stored along with its public cert in there somewhere,
> but I don't really know.
Ah, indeed, that reminds me - OpenBMC stores both private key and the
cert (with the public key) in one file, concatenated. That's how bmcweb
consumes that (unlike e.g. Apache or nginx, which have separate
settings/paths for private and public keys, though nginx also allows for
combining) and indeed that in turn necessitates closing down the
respective files/dirs - so your check is correct and my comment is not
applicable.
regards,
Alexander
More information about the openbmc
mailing list