Security

From SpinetiX Support Wiki

Jump to: navigation, search

This page relates to security of the HMP system.

Operating System

"Info"
The HMP hardware is designed exclusively for running the SpinetiX firmware(s) and no unsigned code can be executed on the HMP!
  • The Operating System of the HMP device is based on a Wind River Linux distribution (starting with firmware 4.0.0) or a MontaVista Linux distribution (up to firmware 3.x), and it cannot be changed in any way and no other OS can be installed on the HMP.
  • Any firmware that is not supplied by SpinetiX for the HMP hardware, will not install on the HMP as the signatures are not identical. This ensures complete security from malicious code and extremely high reliability.
  • No 3rd party drivers or applications can be installed, including any drivers for touchscreens, Wifi adapters or USB TV adapters.
    • Instead, the HID standard is supported. See the Interactivity page for more details.

Network

  • The HMP device was designed to be used within a local network and it is not recommended to have the HMP connected directly to the Internet, as it does not have a firewall. For more details about remote access, see the Network access page.
  • The two essential ports for access to an HMP are: TCP 80 (for access to Control Center) and TCP 81 (for publishing). The rest of the network ports that might be used by the HMP are detailed on the Ports page.
  • The HMP supports basic, digest, and NTLM authentication methods for connecting to web servers requiring authentication.
  • When accessing the HMP protected areas (e.g., HMP Control Center, Fusion etc.), digest access authentication is used.
  • The HMP supports SNMP version 2c (with read-only access), does not generate SNMP traps, and runs the Net-SNMP 5.4 (fully patched). The access to SNMP is disabled by default. For more details, see SNMP monitoring page.
  • The IEEE 802.1X network protocol is not implemented on the HMP. As alternatives, MAC address filtering at the switch port level or MAB (MAC Authentication Bypass) can be used in a protected network environment.

HTTPS

All player models are able to access remote resources via HTTPS.

DiVA, HMP300 and HMP350 devices can be accessed using a secured URL (HTTPS).

  • The web interface is now also available on the standard HTTPS port (443) and is thus reachable via https://HMP_address .
  • The WebDAV interface for content publishing over HTTPS is available on port 9802 (standard WebDAV port) and is this reachable via https://HMP_address:9802 .
  • The SSL/TLS certificate is an automatically generated self-signed certificate.
  • Since 4.0.0 firmware, it is possible to upload user certificates using the Server Certificates section of the Network settings

HMP200, HMP130, and HMP100 models cannot be accessed using a secured URL (HTTPS).

Notes

Possible SSL errors

  • SSL handshake failed: SSL error code -1/1/336032856
    This can happen when the hostname reported by the server does not the match hostname given in the SSL certificate. Make sure your server configuration uses correct values for ServerName and NameVirtualHost.
  • Server certificate verification failed: certificate has expired, certificate issued for a different hostname, issuer is not trusted
    This can happen when the certificate has expired or has been issued for a different hostname or when the issuer is not trusted.
  • SSL handshake failed: SSL error: unknown message digest algorithm
    The sha256WithRSAEncryption algorithm was not supported before 3.1.0 release. The solution is to update the firmware on the HMP or use sha1WithRSAEncryption algorithm when generating the certificate.

Access security

The access to the HMP can be protected by passwords configurable on the "Security" page in Control Center interface.


Note Note:
If you have multiple HMPs and you want to set / change their passwords in a centralized manner and not manually from Control Center - for instance to set a new password for all the HMPs every 30 days - you can use the RPC set_password feature of the player.

Security warnings

False positives

Some security-scan products, also known as vulnerability and configuration assessment products (for instance Nessus), might find various security warnings related to player, however these are false positives (that means nothing to worry about). Some examples of such security warnings are presented below (the format is "Service (Port)"):

  • hosts2-ns(81/tcp): WebDAV
    The WebDAV module is enabled on the port 81 on the device (i.e. HMP internal content server) in order to allow pushing content onto HMP.
    It cannot be disabled because it is one of the HMP fundamental services; nevertheless the access to the content interface can be secured by setting a password for the content user (of course, the password should be set before running such security tests).
    The main HMP interface (running on port 80) cannot be searched or be modified using WebDAV, except for the /content path, where the HMP content interface is replicated (but that includes the security settings as well). Of course, the administration area should be secured as well.

Apache modules

Sometimes, network security scans might reveal potential vulnerabilities affecting the version of Apache being used, however the HMP only implements a limited set of modules, so these do not apply.

CVEs

See the dedicated page about Common Vulnerabilities and Exposures.

Passwords stored by Elementi/HMD

  • Elementi/HMD stores the encrypted hashes of the saved device passwords entered in the profile.xml file from Application Data \ SpinetiX \ Elementi ( HMD ) folder.
  • The data is stored in the "credentials" section of the file:
<spx:credentials>
<spx:auth realm="Content Area" 
          host="http://spx-hmp-XXXXXXXXXXXXX.local.:81" 
          user="content" 
          passwd="AQAAANCMnd8BEWvD8fNPUX0/AAAAAAYhhhABlAG4AdABpAGEAbABzA"/>
</spx:credentials>
  • If you have a group of HMPs all using one password, delete the valule of the "host" parameter above (leaving just two double-quotes). This will result in Elementi/HMD attempting to use this password first for every player it publishes to. Players with different passwords will give the standard login dialogue.
  • If you have multiple groups of HMPs with different passwords per group, you can copy and paste the entire "<spx:auth>" tag above and replace the hostname in each case.
  • Note, you cannot copy this file to another machine. The data is encrypted with the UID of the login name of the user account of the machine. Even if another user has the same name, the UID will not be the same.
This page was last modified on 11 May 2017, at 11:10. This page has been accessed 11,881 times.