Security Working Group meeting - Wednesday October 13 - results
Joseph Reynolds
jrey at linux.ibm.com
Thu Oct 14 05:39:21 AEDT 2021
On 10/13/21 8:11 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday October 13 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
> and anything else that comes up:
>
> 1.
There were no topics when the meeting started. We discussed 5 items:
Attended: Joseph Reynolds, Bruce Mitchell, Vernon Mauery, mbhavsar,
Jiang Zhang, pravisash, James Mihm
1 CVE-2021-39296 is already publicly disclosed. OpenBMC is ready to
disclose.
Here are the existing public disclosures:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39296
* https://www.ibm.com/support/pages/node/6495437
IBM PSIRT - https://www.ibm.com/trust/security-psirt
ASPEED Linux kernel patches are made regularly.
We discussed the desire to improve the OpenBMC Securty Response Team’s
(SRT) coordinated disclosure. Specifically, OpenBMC disclosed first,
then whatever products which are built on OpenBMC disclosure the saem
day and refers to the OpenBMC disclosure.
We agreed to publish advisories on
https://github.com/openbmc/openbmc/security/advisories
TODO: Joseph to make this work, and look into creating the
https://github.com/openbmc SRT team
2 Question about ipmi suite 3. This was removed: see notes 2020-04-29 below.
Existing ipmitool users can adapt in one of two ways: invoke ipmitool to
use cipher suite 17 (`ipmitool -C 17 ...`) or use the latest ipmitool.
Was this change in the release notes? Yes, here:
https://github.com/openbmc/docs/blob/master/release/release-notes.md#security-audit-results-1
The link to the latest ipmitool source is here:
https://github.com/ipmitool/ipmitool/ sha
7772254b62826b894ca629df8c597030a98f4f72 April 2018
3 We discussed “password over IPMI over DTLS” from before.
Email excerpt Oct 5, 2021 “SPAKE, DTLS and passwords + aPAKE and SCRAM”:
Weakness of SRP (Secure Remote Password):
- Server spoofing, there is nothing that prevents a server from
being spoofed.
- Widely adopted with very little proof of being cryptographically
secure and has been shown vulnerable to pre-computation attacks
- No feasible way to check for password complexity in the protocol
(true for most aPAKE - asymmetric Password Authenticated Key Exchange)
- Some debate over if actually provides forward secrecy.
Recommendation to look at at OPAQUE aPAKE:
https://blog.cloudflare.com/opaque-oblivious-passwords/
Suggestion to use SCRAM
https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism
The SRP Server spoofing weakness is fully compensated for by the IPMI
protocol which prevents spoofing, so is not an issue. The other items
apply. We’ll continue to study this.
4 https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/39756 BMCWeb
“Fix authorization rules” was mentioned in passing
5. USB control was continued from the previous meeting
Use case: UPS power supply plugged into USB port, uses RS-232 protocol.
Threat: Physically present attacker plugs in a USB device which says it
is a UPS which lost power and will drop immediately so the BMC can do an
orderly shutdown. [Never mind that same attacker can just hit the power
button.]
In this case, do we want to (1) ignore the signals from the UPS, or (2)
read and log the signals but take no action.
In a hypothetical BMC systemd service to serve a UPS, if we wanted to
disable it, would we (1) stop the service, or (2) reconfigure the
service to continue to log signals but not take action. Which approach
is better?
BMC hardware SuperIO provides USB port capability. Are there any other
use cases within the OpenBMC community for BMC USB ports? Is this an
IBM-only use case?
>
>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph
More information about the openbmc
mailing list