Security

From SpinetiX Support Wiki

Jump to: navigation, search

This page relates to security of the SpinetiX players.

Operating System

The SpinetiX players are designed for exclusively running the SpinetiX firmware, and no unsigned code can be executed on the device!

The operating system is built into the device's firmware and is based on the Linux kernel, with different adaptations and security patches applied specifically for SpinetiX players.

The player embedded firmware governs how the device is functioning and provides low-level control, monitoring and data manipulation of the SpinetiX device. All firmware releases are signed by SpinetiX - any firmware that is not supplied by SpinetiX will not install on the SpinetiX player as the signatures are not identical. This ensures complete security from malicious code and extremely high reliability.

Note Notes:
  • The embedded operating system cannot be changed in any way, and no other OS can be installed on the player.
  • No third-party drivers or applications can be installed on the player, including any drivers for WiFi USB adapters, touchscreens or other USB devices - for interactivity via USB, only the HID standard protocol is supported.
  • DSOS is not affected by the critical Dirty Pipe vulnerability (CVE-2022-0847) as all the supported models are using non-affected kernel versions (as of DSOS 4.7.3 they are 5.4 and 2.6.37, depending on player model). Furthermore, the DSOS security model protects against this type of vulnerabilities, as it does not allow creating user controlled processes nor pipes; exploiting this type of vulnerability would require first exploiting another vulnerability to escape these restrictions, but no such vulnerability is known to date on DSOS.

Network

Inward access

Outward access

Remote access

  • It is strongly discouraged to expose SpinetiX players directly on the public Internet, by forwarding ports from your Internet router to the player for instance, because that allows incoming connections from the public Internet and exposes the players to Internet attacks such as DDoS (distributed denial-of-service), password cracking, or make it easy to exploit any security vulnerabilities. See the proposed solutions for remote access to the player.
  • Note that having players connected to the Internet, such that they can access Internet resources via connections initiated by the player, is most often a must and not a problem.

Security warnings

Security-scan products, also known as vulnerability and configuration assessment products (like Nessus vulnerability scanner), might find various security warnings related to SpinetiX players – for instance, various CVEs affecting the version of Apache being used by the player can be returned. But, using just the httpd version number for security checks is misleading because we use a variant of Apache httpd with a lot of backported fixes and only a limited set of modules are actually implemented / used, so most of these warnings do not actually apply. In case of doubt, feel free to contact us.

As long as your player is using the latest firmware, these warnings are normally false positives (false alarms) without impact over the security of your devices. Of course, best practices like choosing strong passwords and keeping them safe, must be followed. For added security, you can isolate the players' installation on a separate virtual network (VLAN) with restricted access.

Apache modules

The following list of compiled modules applies to firmware 4.8.0.

core_module, authn_file_module, authn_core_module, authz_host_module, authz_groupfile_module, authz_user_module, authz_core_module, access_compat_module, auth_basic_module, auth_digest_module, socache_shmcb_module, so_module, http_module, mime_module, log_config_module, env_module, expires_module, headers_module, setenvif_module, ssl_module, mpm_prefork_module, unixd_module, dav_module, autoindex_module, cgi_module, dav_fs_module, negotiation_module, dir_module, actions_module, alias_module, rewrite_module, proxy_module, proxy_fcgi_module
Note Note:
Any CVE affecting a module not listed above should be considered as a false positive.

The following modules are included in the firmware image but are not loaded, so any potential vulnerability affecting them is not exploitable:

mod_allowmethods.so, mod_deflate.so, mod_info.so, mod_lbmethod_bybusyness.so, mod_lbmethod_byrequests.so, mod_lbmethod_bytraffic.so, mod_lbmethod_heartbeat.so, mod_log_debug.so, mod_logio.so, mod_macro.so, mod_proxy.so, mod_proxy_ajp.so, mod_proxy_balancer.so, mod_proxy_connect.so, mod_proxy_express.so, mod_proxy_fcgi.so, mod_proxy_fdpass.so, mod_proxy_ftp.so, mod_proxy_http.so, mod_proxy_scgi.so, mod_proxy_uwsgi.so, mod_proxy_wstunnel.so, mod_status.so

The mod_fastcgi module is no longer used since firmware 4.7.0 (all platforms), but is dynamically loaded for firmware 4.6.x and earlier on HMP350, HMP300, and DiVA players.

CVEs

SpinetiX actively monitors the official CVE list for any potentials threats that could affect our players and software products and acts quickly to fix them when necessary, either through patches or external libraries updates.

CVE stands for Common Vulnerabilities and Exposures, which is a dictionary of publicly known information security vulnerabilities and exposures.

  • An information security "vulnerability" is a mistake in software that can be directly used by a hacker to gain access to a system or network.
  • An information security "exposure" is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.

To know which CVEs got fixed lately, check out these dedicated pages:

See also:

False positives

Some examples of such security warnings are presented below (the format is "Service (Port)"):

  • hosts2-ns(81/tcp): WebDAV
    The WebDAV module is enabled on the port 81 on the device (i.e. HMP internal content server) in order to allow pushing content onto HMP. It cannot be disabled because it is one of the HMP fundamental services; nevertheless the access to the content interface can be secured by setting a password for the content authoring user (of course, the password should be set before running such security tests).
    The main HMP interface (running on port 80) cannot be searched or be modified using WebDAV, except for the /content path, where the HMP content interface is replicated (but that includes the security settings as well). Of course, the admin access should be well-secured as well.
  • mdns (5353/udp): ZeroConf/bonjour

Security-scan products might warn about the jQuery version (v3.2.1) used by the player web interface being affected by the following vulnerabilities: CVE-2020-11022 and CVE-2020-11023.

Our team analyzed these two vulnerabilities and the conclusion is that they are false positives. The multiple cross-site scripting vulnerabilities refer to the fact that "passing HTML code from untrusted sources to one of jQuery's DOM manipulation methods may execute untrusted code" - this doesn't apply to the player web interface (no HTML code allowed, the access is protected by username/password), but rather to a public site where someone could enter a malicious HTML payload. Nevertheless, the jQuery library was updated to v3.6.0 in firmware 4.8.0.

Security advisories

SpinetiX is committed to customer safety and the ongoing security of our products. We allocate resources to fix and patch vulnerabilities as soon as they are discovered by internal tests, researchers, or customers. SpinetiX publishes security advisories for security related defects in its own software under Security advisories page.

Statement of volatility

The players have multiple serial, electrically erasable, and programmable nonvolatile memory components (EEPROM and Flash memory) that are used to store manufacturing hardware identification, hardware configuration information, and user content.

  • The EEPROM memory is not writable by users and cannot contain sensitive data.
  • The Flash memory (i.e. the internal storage) is writable by users and thus might contain sensitive data.

Further information about this subject can be provided upon request.

See also

This page was last modified on 15 November 2023, at 17:40.