Security

This page relates to security of the SpinetiX players.

Operating System

The SpinetiX players are designed for exclusively running the SpinetiX firmware, and no unsigned code can be executed on the device!

The operating system is built into the device's firmware and is based on the Linux kernel, with different adaptations and security patches applied specifically for SpinetiX players.

DSOS™ (based on Yocto) is used on HMP400, HMP400W, iBX410, iBX410W, iBX440, and third-party players.
Starting with firmware 4.7.1, DSOS™ is used on HMP350, HMP300, and DiVA as well; while before that, a Wind River^® Linux distribution was used.

The player embedded firmware governs how the device is functioning and provides low-level control, monitoring and data manipulation of the SpinetiX device. All firmware releases are signed by SpinetiX - any firmware that is not supplied by SpinetiX will not install on the SpinetiX player as the signatures are not identical. This ensures complete security from malicious code and extremely high reliability.

Notes:

The embedded operating system cannot be changed in any way, and no other OS can be installed on the player.
No third-party drivers or applications can be installed on the player, including any drivers for WiFi USB adapters, touchscreens or other USB devices - for interactivity via USB, only the HID standard protocol is supported.
DSOS is not affected by the critical Dirty Pipe vulnerability (CVE-2022-0847) as all the supported models are using non-affected kernel versions (as of DSOS 4.7.3 they are 5.4 and 2.6.37, depending on player model). Furthermore, the DSOS security model protects against this type of vulnerabilities, as it does not allow creating user controlled processes nor pipes; exploiting this type of vulnerability would require first exploiting another vulnerability to escape these restrictions, but no such vulnerability is known to date on DSOS.

Network

Inward access

The access to the player embedded web server must be protected with strong passwords, configurable from Control Center. For more details, see embedded web server security.
All player models, except the legacy ones, can be accessed using a secured URL (HTTPS).
The network ports used by the player are detailed on the Ports page - the essential ones are: TCP 80 / 443 (for access to Control Center) and TCP 81 / 9802 (for publishing).
Insecure access to the player content server is disallowed by default, starting with firmware 4.3.0. This feature is controlled from Control Center > Network > Server Security.
SpinetiX players support SNMP version 2c (with read-only access), do not generate SNMP traps, and run the Net-SNMP 5.4 (fully patched). The access to SNMP is disabled by default. For more details, see SNMP monitoring page.

Outward access

SpinetiX players support basic, digest, and NTLM authentication methods for connecting to web servers requiring authentication.
The support for IEEE 802.1X network protocol is available on the HMP400, HMP400W, iBX410, iBX440, and third-party players. As alternatives for the other models, MAC address filtering at the switch port level or MAB (MAC Authentication Bypass) can be used in a protected network environment.
The OpenSSL version used by the player is not affected by the Heartbleed bug.

Remote access

It is strongly discouraged to expose SpinetiX players directly on the public Internet, by forwarding ports from your Internet router to the player for instance, because that allows incoming connections from the public Internet and exposes the players to Internet attacks such as DDoS (distributed denial-of-service), password cracking, or make it easy to exploit any security vulnerabilities. See the proposed solutions for remote access to the player.
Note that having players connected to the Internet, such that they can access Internet resources via connections initiated by the player, is most often a must and not a problem.

Security warnings

Security-scan products, also known as vulnerability and configuration assessment products (like Nessus vulnerability scanner), might find various security warnings related to SpinetiX players – for instance, various CVEs affecting the version of Apache being used by the player can be returned. But, using just the httpd version number for security checks is misleading because we use a variant of Apache httpd with a lot of backported fixes and only a limited set of modules are actually implemented / used, so most of these warnings do not actually apply. In case of doubt, feel free to contact us.

As long as your player is using the latest firmware, these warnings are normally false positives (false alarms) without impact over the security of your devices. Of course, best practices like choosing strong passwords and keeping them safe, must be followed. For added security, you can isolate the players' installation on a separate virtual network (VLAN) with restricted access.

Apache modules

The following list of compiled modules applies to firmware 4.8.0.

core_module, authn_file_module, authn_core_module, authz_host_module, authz_groupfile_module, authz_user_module, authz_core_module, access_compat_module, auth_basic_module, auth_digest_module, socache_shmcb_module, so_module, http_module, mime_module, log_config_module, env_module, expires_module, headers_module, setenvif_module, ssl_module, mpm_prefork_module, unixd_module, dav_module, autoindex_module, cgi_module, dav_fs_module, negotiation_module, dir_module, actions_module, alias_module, rewrite_module, proxy_module, proxy_fcgi_module

Note:

Any CVE affecting a module not listed above should be considered as a false positive.

The following modules are included in the firmware image but are not loaded, so any potential vulnerability affecting them is not exploitable:

mod_allowmethods.so, mod_deflate.so, mod_info.so, mod_lbmethod_bybusyness.so, mod_lbmethod_byrequests.so, mod_lbmethod_bytraffic.so, mod_lbmethod_heartbeat.so, mod_log_debug.so, mod_logio.so, mod_macro.so, mod_proxy.so, mod_proxy_ajp.so, mod_proxy_balancer.so, mod_proxy_connect.so, mod_proxy_express.so, mod_proxy_fcgi.so, mod_proxy_fdpass.so, mod_proxy_ftp.so, mod_proxy_http.so, mod_proxy_scgi.so, mod_proxy_uwsgi.so, mod_proxy_wstunnel.so, mod_status.so

The mod_fastcgi module is no longer used since firmware 4.7.0 (all platforms), but is dynamically loaded for firmware 4.6.x and earlier on HMP350, HMP300, and DiVA players.

CVEs

SpinetiX actively monitors the official CVE list for any potentials threats that could affect our players and software products and acts quickly to fix them when necessary, either through patches or external libraries updates.

CVE stands for Common Vulnerabilities and Exposures, which is a dictionary of publicly known information security vulnerabilities and exposures.

An information security "vulnerability" is a mistake in software that can be directly used by a hacker to gain access to a system or network.
An information security "exposure" is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.

To know which CVEs got fixed lately, check out these dedicated pages:

False positives

Some examples of such security warnings are presented below (the format is "Service (Port)"):

hosts2-ns(81/tcp): WebDAV
The WebDAV module is enabled on the port 81 on the device (i.e. HMP internal content server) in order to allow pushing content onto HMP. It cannot be disabled because it is one of the HMP fundamental services; nevertheless the access to the content interface can be secured by setting a password for the content authoring user (of course, the password should be set before running such security tests).

The main HMP interface (running on port 80) cannot be searched or be modified using WebDAV, except for the /content path, where the HMP content interface is replicated (but that includes the security settings as well). Of course, the admin access should be well-secured as well.
mdns (5353/udp): ZeroConf/bonjour
- The mDNS protocol is enabled to allow device discovery on the network; the services listed by the HMP through mDNS do not transmit any potentially dangerous information. This can be disabled on all players, except for the legacy ones.

Security-scan products might warn about the jQuery version (v3.2.1) used by the player web interface being affected by the following vulnerabilities: CVE-2020-11022 and CVE-2020-11023.

Our team analyzed these two vulnerabilities and the conclusion is that they are false positives. The multiple cross-site scripting vulnerabilities refer to the fact that "passing HTML code from untrusted sources to one of jQuery's DOM manipulation methods may execute untrusted code" - this doesn't apply to the player web interface (no HTML code allowed, the access is protected by username/password), but rather to a public site where someone could enter a malicious HTML payload. Nevertheless, the jQuery library was updated to v3.6.0 in firmware 4.8.0.

Security advisories

SpinetiX is committed to customer safety and the ongoing security of our products. We allocate resources to fix and patch vulnerabilities as soon as they are discovered by internal tests, researchers, or customers. SpinetiX publishes security advisories for security related defects in its own software under Security advisories page.

Statement of volatility

The players have multiple serial, electrically erasable, and programmable nonvolatile memory components (EEPROM and Flash memory) that are used to store manufacturing hardware identification, hardware configuration information, and user content.

The EEPROM memory is not writable by users and cannot contain sensitive data.
The Flash memory (i.e. the internal storage) is writable by users and thus might contain sensitive data.

Further information about this subject can be provided upon request.