Security

From SpinetiX Support Wiki

Jump to: navigation, search

This page relates to security of the SpinetiX devices. See also the dedicated article about Meltdown and Spectre vulnerabilities.

Operating System

The SpinetiX player hardware is designed exclusively for running SpinetiX firmware and no unsigned code can be executed on the device!

The SpinetiX player operating system is built into the device firmware and is based on the Linux kernel, with different adaptations and security patches applied specifically for SpinetiX players. The embedded OS cannot be changed in any way and no other OS can be installed on the player.

The player embedded firmware governs how the device is functioning and provides low-level control, monitoring and data manipulation of the SpinetiX device. All firmware releases are signed by SpinetiX - any firmware that is not supplied by SpinetiX will not install on the SpinetiX player as the signatures are not identical. This ensures complete security from malicious code and extremely high reliability.

No third-party drivers or applications can be installed on the player, including any drivers for Wifi USB adapters, touchscreens or other USB devices - for interactivity via USB, only the HID standard protocol is supported.

Network

Access

HTTPS

All player models are able to access remote resources via HTTPS.

DiVA, HMP300 and HMP350 devices can be accessed using a secured URL (HTTPS).

  • The web interface is now also available on the standard HTTPS port (443) and is thus reachable via https://HMP_address .
  • The WebDAV interface for content publishing over HTTPS is available on port 9802 (standard WebDAV port) and is this reachable via https://HMP_address:9802 .
  • The SSL/TLS certificate is an automatically generated self-signed certificate.
  • Since 4.0.0 firmware, it is possible to upload user certificates using the Server Certificates section of the Network settings

HMP200, HMP130, and HMP100 models cannot be accessed using a secured URL (HTTPS).

Notes

Possible SSL errors

  • Server certificate verification failed: certificate has expired
    This happens when the server certificate is no longer valid - to solve this, a new server certificate must be issued.
  • Server certificate verification failed: certificate issued for a different hostname
    This happens when the server name doesn't match the one mentioned within the SSL certificate, for instance when using the server's IP address instead of its hostname - to solve this, use the server name as mentioned within the SSL certificate.
  • Server certificate verification failed: issuer is not trusted
    This happens when the server root certificate is not within the player built-in database of the root certificates of public certification authorities, for instance when the certificate was delivered by a private, or enterprise internal, certification authority. To solve this, you can add that root certificates on the player from HMP Control Center > Network > Trusted Certificates.
  • SSL handshake failed: SSL error code -1/1/336032856
    This can happen when the hostname reported by the server does not the match hostname given in the SSL certificate. Make sure your server configuration uses correct values for ServerName and NameVirtualHost.
  • SSL handshake failed: SSL error: unknown message digest algorithm
    The sha256WithRSAEncryption algorithm was not supported before 3.1.0 release. The solution is to update the firmware on the HMP or use sha1WithRSAEncryption algorithm when generating the certificate.

Access security

The access to the HMP can be protected by passwords configurable on the "Security" page in Control Center interface.


Note Note:
If you have multiple HMPs and you want to set / change their passwords in a centralized manner and not manually from Control Center - for instance to set a new password for all the HMPs every 30 days - you can use the RPC set_password feature of the player.

Security warnings

CVEs

SpinetiX actively monitors the official CVE list for any potentials threats that could affect our players and software products and acts quickly to fix them when necessary, either through patches or external libraries updates.


CVE stands for Common Vulnerabilities and Exposures, which is a dictionary of publicly known information security vulnerabilities and exposures.

  • An information security "vulnerability" is a mistake in software that can be directly used by a hacker to gain access to a system or network.
  • An information security "exposure" is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.

To know which CVEs got fixed lately, check out these dedicated pages:

See also:

False positives

Some security-scan products, also known as vulnerability and configuration assessment products (for instance Nessus), might find various security warnings related to player, however these are false positives (that means nothing to worry about). Some examples of such security warnings are presented below (the format is "Service (Port)"):

  • hosts2-ns(81/tcp): WebDAV
    The WebDAV module is enabled on the port 81 on the device (i.e. HMP internal content server) in order to allow pushing content onto HMP.
    It cannot be disabled because it is one of the HMP fundamental services; nevertheless the access to the content interface can be secured by setting a password for the content user (of course, the password should be set before running such security tests).
    The main HMP interface (running on port 80) cannot be searched or be modified using WebDAV, except for the /content path, where the HMP content interface is replicated (but that includes the security settings as well). Of course, the administration area should be secured as well.
  • Apache modules
    Sometimes, network security scans might reveal potential vulnerabilities affecting the version of Apache being used, however only a limited set of modules are actually implemented / used, so most of them do not actually apply. In case of doubt, feel free to contact us.

Passwords stored by Elementi

The credentials required when accessing players, Publish Locations or resources from web servers, are managed from Menu > Settings > Network Credentials... dialog. The passwords are not displayed in clear until the button "Show Passwords" is clicked.

The data is stored as encrypted hashes inside profile.xml file (found from Application Data \ SpinetiX \ Elementi folder), under the "credentials" section:

<spx:credentials>
  <spx:auth realm="" host="http://172.21.1.85:81/" user="content" passwd="QAAANCoAwE/Cl+sBUYdUu+Ow..."/>
  <spx:auth realm="Content Area" host="http://spx-hmp-XXXXXXXXXXXXX.local.:81" user="content" passwd="bJ9WAQAAANCMnd8BE8AA..."/>
  <spx:auth realm="" host="http://dav.box.com/" user="abc@spinetix.com" passwd="AQAAANCMnd8APEQma+rpGYWmxLmCcZ1Lc..."/>
  <spx:auth realm="SYNO_WebDAV Storage" host="http://synology-nas:5005/projects/MyProject/" user="hmp" 
            passwd="8+DI9HiTIG7rrAMgavfbJ9WwyuERfkecMTTIQAAAAIcygF..."/>
</spx:credentials>
Note Notes:
  • The profile.xml file cannot be copied and used to another machine because the data is encrypted with the UID of the login name of the user account of the machine; even if another user has the same name, the UID will not be the same.
  • If you have a group of HMPs all using one password, delete the value of the "host" parameter above (leaving just two double-quotes). This will result in Elementi / HMD attempting to use this password first for every player it publishes to. Players with different passwords will give the standard login dialog.
  • If you have multiple groups of HMPs with different passwords per group, you can copy and paste the entire <spx:auth> tag above and replace the hostname in each case.
This page was last modified on 28 August 2018, at 20:20.