Author Topic: Fixes for vulns in recent advisory - Community feedback wanted  (Read 13070 times)

Offline Da_JoJo

  • Hero Member
  • *****
  • Posts: 1380
  • Karma: +16/-78
  • If something aint work, we can allways try n make
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #15 on: September 08, 2013, 10:37:57 am »
its using the UPnP for steering the devices so its not really good idea to turn off. the outside port could be turned off (would ruin many peoples remote interface) or using proxy-forward or authentication mechanism in peer communication
i'd go for the peer authentication with a key as this has least inpact of all.
http://<vera-ip>:49451/URL%20for%20presentation gives the UPnP spec page on my windows pc but doesnt seem to work.
scanning with UPnP tester doesnt bring up the .root device for vera which it should.
2 decimal behind comma for temperature devices conform UPnP specs also not working. http://forum.micasaverde.com/index.php?topic=10244.0 Ap15e mentioned a lot of other stuff that should be noted and MCV did not listen to its users. stil wonder why ?
now that its in the news all of a sudden there is a need for doing stuff to change what is not easy to change but the things that would require changes is being neglected.. ow and there is documentation wiki which i and other forum users have rewritten and extended as MCV was transparent and honest to the users that it didnt have time for this. also the hours i put into translation which in the end turned out was not possible because of the used strings for the main UI. and the extra translation for the tricktv platform which shouldnt be there in the first place. giving me a test account with which i could turn the lights and heating for the whole mcv offices .. taking out the test-vera UI as it was subject to hackers.. exchanged by a test-vera which you can buy as developer .. the wiki that was being abused by spammers.. etc.. etc..
i see where MCV interest is primaly  ;D
time to fix it all up  ::)
« Last Edit: September 08, 2013, 11:14:21 am by Da_JoJo »
Vera lite (1.5.622), 2x an-158/2, dead usb pl2302 rs-232, 2x greenwave 6 port, 4x Fibaro FGD211 v1.6, FGBS001, few FGS - 221, etc. AuthomationHD 3 for android :-)
Dutch & German translator http://wiki.micasaverde.com/index.php/Special:AllPages http://support.micasaverde.com http://domotica-shop.nl

Offline RichardTSchaefer

  • Master Member
  • *******
  • Posts: 10091
  • Karma: +763/-142
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #16 on: September 08, 2013, 11:12:26 am »
Quote
its using the UPnP for steering the devices so its not really good idea to turn off. the outside port could be turned off (would ruin many peoples remote interface)
I am not sure I quite understand what you mean my steering ...
I though most of the remote user interfaces use the HTTP based LUUP requests.
I am not sure what devices uses the UPnP interface ... I do not think I have any.
Maybe the cameras ... I have not looked ... but I think Vera uses just the HTTP interface for these.

So if everything goes through LightHttpd, and we disable UPnP we have one place to secure.

Offline Da_JoJo

  • Hero Member
  • *****
  • Posts: 1380
  • Karma: +16/-78
  • If something aint work, we can allways try n make
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #17 on: September 08, 2013, 11:16:23 am »
well have a look at the device type in advanced settings of device. there is a upnp point. also many remotes use port 3480.
see here http://wiki.micasaverde.com/index.php/Luup_Intro#Introduction_to_Luup_development
« Last Edit: September 08, 2013, 11:22:15 am by Da_JoJo »
Vera lite (1.5.622), 2x an-158/2, dead usb pl2302 rs-232, 2x greenwave 6 port, 4x Fibaro FGD211 v1.6, FGBS001, few FGS - 221, etc. AuthomationHD 3 for android :-)
Dutch & German translator http://wiki.micasaverde.com/index.php/Special:AllPages http://support.micasaverde.com http://domotica-shop.nl

Offline RichardTSchaefer

  • Master Member
  • *******
  • Posts: 10091
  • Karma: +763/-142
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #18 on: September 08, 2013, 11:29:21 am »
These are not UPNP issues.

To change direct access to Port 3480 will require change to remotes ...
But it's simple you can replace:

http://xxx:3480/...

With
http://xxx/port_3480/...

The Light Http is already setup to proxy this port. MCV already uses this because of Cross Site scripting issues with the remote interface.


Offline Da_JoJo

  • Hero Member
  • *****
  • Posts: 1380
  • Karma: +16/-78
  • If something aint work, we can allways try n make
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #19 on: September 08, 2013, 11:52:53 am »
but if you exchange port 3480 for port 80 then it has the same problem ?
Vera lite (1.5.622), 2x an-158/2, dead usb pl2302 rs-232, 2x greenwave 6 port, 4x Fibaro FGD211 v1.6, FGBS001, few FGS - 221, etc. AuthomationHD 3 for android :-)
Dutch & German translator http://wiki.micasaverde.com/index.php/Special:AllPages http://support.micasaverde.com http://domotica-shop.nl

Offline RichardTSchaefer

  • Master Member
  • *******
  • Posts: 10091
  • Karma: +763/-142
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #20 on: September 08, 2013, 12:23:22 pm »
Notice:
http://YourIPAddress/port_3480/data_request?id=user_data
is the same as:
http://YourIPAddress:3480/data_request?id=user_data

The former goes through the HTTP proxy first.
They have not setup the proxy for the HTTPS port ... but that's a one line change.
Other changes need to be made to use certificates as well.
When you talk to port 3480, you are talking to LuaUPnP directly.
I am proposing that we only allow access via the Light httpd daemon and only allowed access via certificates ... 
This implys that we only allow LuaUPnP to read from 127.0.0.1:3480 which would be accessed via the proxy. That's a MCV change.

Offline Da_JoJo

  • Hero Member
  • *****
  • Posts: 1380
  • Karma: +16/-78
  • If something aint work, we can allways try n make
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #21 on: September 08, 2013, 12:27:23 pm »
yes but if you send a command for open lock to port 3480 or to /port_3480/ it would still open the lock right ? so if i put this in a webpage with some php to find the vera ip and send command to /port_3480/ it would still work.
Vera lite (1.5.622), 2x an-158/2, dead usb pl2302 rs-232, 2x greenwave 6 port, 4x Fibaro FGD211 v1.6, FGBS001, few FGS - 221, etc. AuthomationHD 3 for android :-)
Dutch & German translator http://wiki.micasaverde.com/index.php/Special:AllPages http://support.micasaverde.com http://domotica-shop.nl

Offline RichardTSchaefer

  • Master Member
  • *******
  • Posts: 10091
  • Karma: +763/-142
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #22 on: September 08, 2013, 12:37:56 pm »
If the Vera Web Server was setup to only respond to authenticated (via certs) requests  there would not be a problem.

Then unless your PHP server presented the certificate ... it would not respond.

Offline Da_JoJo

  • Hero Member
  • *****
  • Posts: 1380
  • Karma: +16/-78
  • If something aint work, we can allways try n make
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #23 on: September 08, 2013, 12:51:15 pm »
but then it would make it troublesome for the remote interfaces. i like the idea of having a key first to make contact to the vera upnp and then be able to send commands. wont need a ssl cert and stuff. just send the right key to vera and vera would open up the rest of the commands to the ip used only.
Vera lite (1.5.622), 2x an-158/2, dead usb pl2302 rs-232, 2x greenwave 6 port, 4x Fibaro FGD211 v1.6, FGBS001, few FGS - 221, etc. AuthomationHD 3 for android :-)
Dutch & German translator http://wiki.micasaverde.com/index.php/Special:AllPages http://support.micasaverde.com http://domotica-shop.nl

Offline RichardTSchaefer

  • Master Member
  • *******
  • Posts: 10091
  • Karma: +763/-142
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #24 on: September 08, 2013, 01:06:05 pm »
If you do that on an IP basis ... if you open it up to your desktop (because you run the Vera Control Panel)  ... than you are opening the possibility for malicious script to access your Vera via your Home computer.

Offline guessed

  • Master Member
  • *******
  • Posts: 5295
  • Karma: +90/-22
  • Release compat is not a bolted-on afterthought
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #25 on: September 08, 2013, 01:07:29 pm »
Yup, there are a few extra's that'll need to be locked-local.

Excluding SSH, and DNSMasq, here's the complete list of TCP Listen entry points.  Note that ser2net is a flexible list, depending upon what you have serial-attached to Vera (49451 is the original version of 3480):

Code: [Select]
lighttpd   2358   root    4u     IPv4       2672      0t0        TCP *:80 (LISTEN)
LuaUPnP   10519   root    6u     IPv4    2123595      0t0        TCP *:49451 (LISTEN)
LuaUPnP   10519   root   10u     IPv4    2123601      0t0        TCP *:3480 (LISTEN)
ser2net   10612   root    4u     IPv4    2123708      0t0        TCP *:3484 (LISTEN)

Offline RichardTSchaefer

  • Master Member
  • *******
  • Posts: 10091
  • Karma: +763/-142
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #26 on: September 08, 2013, 01:24:23 pm »
@guessed
Do you know if there a significant number of clients to the UPnP interfaces to Vera ?

Offline Da_JoJo

  • Hero Member
  • *****
  • Posts: 1380
  • Karma: +16/-78
  • If something aint work, we can allways try n make
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #27 on: September 08, 2013, 01:32:11 pm »
If you do that on an IP basis ... if you open it up to your desktop (because you run the Vera Control Panel)  ... than you are opening the possibility for malicious script to access your Vera via your Home computer.

ok then sending the key everytime with the command would be better.
Vera lite (1.5.622), 2x an-158/2, dead usb pl2302 rs-232, 2x greenwave 6 port, 4x Fibaro FGD211 v1.6, FGBS001, few FGS - 221, etc. AuthomationHD 3 for android :-)
Dutch & German translator http://wiki.micasaverde.com/index.php/Special:AllPages http://support.micasaverde.com http://domotica-shop.nl

Offline guessed

  • Master Member
  • *******
  • Posts: 5295
  • Karma: +90/-22
  • Release compat is not a bolted-on afterthought
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #28 on: September 08, 2013, 03:48:46 pm »
@guessed
Do you know if there a significant number of clients to the UPnP interfaces to Vera ?
To my knowledge, all the mainstream UI's are using the Vera [specific] mechanism to display data, and invoke actions, from Vera.  There are some variants of this, including the port differences (49451, 3840 or Proxy via port_3480) and some subtle variations on the entry point (user_data2 et-al) but otherwise they're all fairly consistent.

The ones I'm less clear on relate to the Windows Media Center controllers, since I've never used them.


For raw UPnP, I doubt that people use it...  It has a lot of very old bugs that haven't been addressed (timeouts/performance on SSDP Discovery, lack of NOTIFY support, non-compliance with UPnP state handling etc) that I can't imagine it would be usable in practical terms.

For "tiny" systems, with a small # of devices, some of these issues won't be as important.  People quickly grow systems beyond the tiny state.

Offline micasaverde

  • Hero Member
  • *****
  • Posts: 1666
  • Karma: +15/-1
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #29 on: September 08, 2013, 11:12:57 pm »
I agree it makes sense to turn it off by default since the few people who do use it will be saavy enough to go into a settings and turn it back on.  The only reason we left it on by default is that, since the regular http port 80 isn't protected anyway, turning on UPnP doesn't hurt anything (doesn't add any extra protection).  It's like locking your car door and leaving the windows down.  In the beginning we didn't know how many people would use it vs. the proprietary interface, so we left it on, and maybe for existing users who might be using it, we'll leave it on by default when we provide a firmware upgrade so they're not left hanging and unaware why their stuff stopped working.  But, even though it doesn't solve the security issue, I think it's a good idea to have it turned off by default.  However I think we're going to have port 80 AND the self-signed cert on https port 443 on by default, and have a 'secure my device' option to turn off port 80 and upnp, but which first tests if the browser will accept an https connection, before proceeding.