Potential high risk for readonly/operator users on BMC console access

Joseph Reynolds jrey at linux.ibm.com
Tue Nov 29 12:41:37 AEDT 2022 

On 11/21/22 4:17 AM, Thang Nguyen OS wrote:
> Hi,
> I would like to have your comments on below issue which we think it is high risk security issue which description below:
>
> Any user (read-only, operator, administrator), when created, has BMC console access/login by default. He can login to BMC via BMC console and do the following actions:
>   - Write to his /home/<user> folder to full. This will make the RootFS full and no more operation can be done, unless do A/C power and reflash the BMC from u-boot.
> - Write to /tmp folder to full which will make many application fail to work.
> It is good for administrator as he should have full privilege. However, for readonly/operator users, he should not have console access. No matter if he makes the BMC crashed by mistake or it is his intention, we should prevent his happens.
> It is known that many production systems do not support BMC console but still have some support and some companies allow remote access via KVM or console server. I think we should disable shell login for normal users (readonly and operator) by default.

Thanks for your report.  Here are my thoughts.

You are describing resource exhaustion, sometimes denoted as one of:
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling

I agree this will lead to the failure of various BMC functions leading 
to denial of service.

There are two ways to access the BMC command shell:

1. Access to the BMC command shell via SSH port 22.  The default BMC 
configuration only allows Administrator users to have access. [footnote 1]

2. Access to the BMC command shell via the BMC's serial port.  The 
typical BMC setup either does not have a console or specifies that 
access to the BMC's physical console port should be protected.

Please see some related build-time configuration options here: 
https://github.com/openbmc/openbmc/wiki/Configuration-guide#bmc-console-shell-access

Also, we can consider adding a check so that only admin users are 
allowed to access to a BMC command shell via the BMC's serial console.  
(And non-admin user will be logged off.)

- Joseph


Footnote 1:
The effect of the following is to configure the dropbear SSH server so 
only users who are in the priv-admin Linux group are allowed to connect 
via SSH.
This config parameter: 
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-core/dropbear/dropbear/dropbear.default
Is configured into the image from here: 
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-core/dropbear/dropbear_%25.bbappend
and is used on the dropbear command line from here: 
https://github.com/openbmc/openbmc/blob/master/poky/meta/recipes-core/dropbear/dropbear/dropbear%40.service




>
> Thanks,
> Thang Q. Nguyen -

More information about the openbmc mailing list