From SpinetiX Support Wiki
This page relates to security of the SpinetiX devices. See also the dedicated article about Meltdown and Spectre vulnerabilities.
The SpinetiX player operating system is built into the device firmware and is based on the Linux kernel, with different adaptations and security patches applied specifically for SpinetiX players. The embedded OS cannot be changed in any way and no other OS can be installed on the player.
- Wind River® Linux 6 distribution is used within firmware 4.x on DiVA, HMP300, and HMP350 devices.
- MontaVista Professional Edition 4 distribution is used within firmware 3.x and below on HMP200, HMP130, and HMP100 devices.
The player embedded firmware governs how the device is functioning and provides low-level control, monitoring and data manipulation of the SpinetiX device. All firmware releases are signed by SpinetiX - any firmware that is not supplied by SpinetiX will not install on the SpinetiX player as the signatures are not identical. This ensures complete security from malicious code and extremely high reliability.
No third-party drivers or applications can be installed on the player, including any drivers for Wifi USB adapters, touchscreens or other USB devices - for interactivity via USB, only the HID standard protocol is supported.
- SpinetiX players were designed to be used within a local network, so it is not recommended to have them connected directly to the Internet, as they don't have a firewall. For more details about remote access, see the Network access page.
- The network ports used by the player are detailed on the Ports page - the essential ones are: TCP 80 / 443 (for access to Control Center) and TCP 81 / 9802 (for publishing).
- The HMP supports basic, digest, and NTLM authentication methods for connecting to web servers requiring authentication.
- When accessing the HMP protected areas (e.g., HMP Control Center, HMP content server, Fusion etc.), digest access authentication is used.
- The default player behavior is to disallow insecure access to its publish server starting with firmware 4.3.0. This feature is controlled from HMP Control Center > Network > Server Security.
- The HMP supports SNMP version 2c (with read-only access), does not generate SNMP traps, and runs the Net-SNMP 5.4 (fully patched). The access to SNMP is disabled by default. For more details, see SNMP monitoring page.
- The IEEE 802.1X network protocol is not implemented on the HMP. As alternatives, MAC address filtering at the switch port level or MAB (MAC Authentication Bypass) can be used in a protected network environment.
All player models are able to access remote resources via HTTPS.
- The web interface is now also available on the standard HTTPS port (443) and is thus reachable via https://HMP_address .
- The WebDAV interface for content publishing over HTTPS is available on port 9802 (standard WebDAV port) and is this reachable via https://HMP_address:9802 .
- The SSL/TLS certificate is an automatically generated self-signed certificate.
- Since 4.0.0 firmware, it is possible to upload user certificates using the Server Certificates section of the Network settings
- The list of trusted root certificates matches that of Firefox. Certificate validation can be controlled from HMP Control Center > Network settings > HTTPS page on DiVA, HMP300 and HMP350 devices, respectively, Network Settings > HTTPS tab on HMP200, HMP130, and HMP100 devices.
- The OpenSSL version used by the HMP is not affected by the Heartbleed bug.
- SSL with Virtual Hosts using Server Name Indication (SNI) is supported starting with 3.1.0 release.
Possible SSL errors
- Server certificate verification failed: certificate has expired
- This happens when the server certificate is no longer valid - to solve this, a new server certificate must be issued.
- Server certificate verification failed: certificate issued for a different hostname
- This happens when the server name doesn't match the one mentioned within the SSL certificate, for instance when using the server's IP address instead of its hostname - to solve this, use the server name as mentioned within the SSL certificate.
- Server certificate verification failed: issuer is not trusted
- This happens when the server root certificate is not within the player built-in database of the root certificates of public certification authorities, for instance when the certificate was delivered by a private, or enterprise internal, certification authority. To solve this, you can add that root certificates on the player from HMP Control Center > Network > Trusted Certificates.
- SSL handshake failed: SSL error code -1/1/336032856
- This can happen when the hostname reported by the server does not the match hostname given in the SSL certificate. Make sure your server configuration uses correct values for ServerName and NameVirtualHost.
- SSL handshake failed: SSL error: unknown message digest algorithm
- The sha256WithRSAEncryption algorithm was not supported before 3.1.0 release. The solution is to update the firmware on the HMP or use sha1WithRSAEncryption algorithm when generating the certificate.
The access to the HMP can be protected by passwords configurable on the "Security" page in Control Center interface.
- For DiVA, HMP300 and HMP350, see User manager tool page.
- For HMP200, HMP130, and HMP100 devices, see Security settings 3.x page.
CVE stands for Common Vulnerabilities and Exposures, which is a dictionary of publicly known information security vulnerabilities and exposures.
- An information security "vulnerability" is a mistake in software that can be directly used by a hacker to gain access to a system or network.
- An information security "exposure" is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.
To know which CVEs got fixed lately, check out these dedicated pages:
- The dedicated article about Meltdown and Spectre vulnerabilities
- Common Vulnerabilities and Exposures page (no longer maintained).
Some security-scan products, also known as vulnerability and configuration assessment products (for instance Nessus), might find various security warnings related to player, however these are false positives (that means nothing to worry about). Some examples of such security warnings are presented below (the format is "Service (Port)"):
- hosts2-ns(81/tcp): WebDAV
- The WebDAV module is enabled on the port 81 on the device (i.e. HMP internal content server) in order to allow pushing content onto HMP. It cannot be disabled because it is one of the HMP fundamental services; nevertheless the access to the content interface can be secured by setting a password for the content user (of course, the password should be set before running such security tests).
- The main HMP interface (running on port 80) cannot be searched or be modified using WebDAV, except for the
/contentpath, where the HMP content interface is replicated (but that includes the security settings as well). Of course, the administration area should be secured as well.
- mdns (5353/udp): ZeroConf/bonjour
- Apache modules
- Sometimes, network security scans might reveal potential vulnerabilities affecting the version of Apache being used, however only a limited set of modules are actually implemented / used, so most of them do not actually apply. In case of doubt, feel free to contact us.
Passwords stored by Elementi
The credentials required when accessing players, Publish Locations or resources from web servers, are managed from Menu > Settings > Network Credentials... dialog. The passwords are not displayed in clear until the button "Show Passwords" is clicked.
The data is stored as encrypted hashes inside profile.xml file (found from Application Data \ SpinetiX \ Elementi folder), under the "credentials" section:
<spx:credentials> <spx:auth realm="" host="http://172.21.1.85:81/" user="content" passwd="QAAANCoAwE/Cl+sBUYdUu+Ow..."/> <spx:auth realm="Content Area" host="http://spx-hmp-XXXXXXXXXXXXX.local.:81" user="content" passwd="bJ9WAQAAANCMnd8BE8AA..."/> <spx:auth realm="" host="http://dav.box.com/" user="firstname.lastname@example.org" passwd="AQAAANCMnd8APEQma+rpGYWmxLmCcZ1Lc..."/> <spx:auth realm="SYNO_WebDAV Storage" host="http://synology-nas:5005/projects/MyProject/" user="hmp" passwd="8+DI9HiTIG7rrAMgavfbJ9WwyuERfkecMTTIQAAAAIcygF..."/> </spx:credentials>
- The profile.xml file cannot be copied and used to another machine because the data is encrypted with the UID of the login name of the user account of the machine; even if another user has the same name, the UID will not be the same.
- If you have a group of HMPs all using one password, delete the value of the "host" parameter above (leaving just two double-quotes). This will result in Elementi / HMD attempting to use this password first for every player it publishes to. Players with different passwords will give the standard login dialog.
- If you have multiple groups of HMPs with different passwords per group, you can copy and paste the entire
<spx:auth>tag above and replace the hostname in each case.