Author Topic: Fixes for vulns in recent advisory - Community feedback wanted  (Read 13289 times)

Offline RichardTSchaefer

  • Community Beta
  • Master Member
  • ******
  • Posts: 10091
  • Karma: +764/-143
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #30 on: September 08, 2013, 11:24:55 pm »
@micasaverde

I like the strategy ... you should only be allowed to turn off Port 80 from Port 443 while using a cert!

Need to define the strategy for exchanging the certs for 3rd party apps ...
Will they need to turn off Security and connect on LAN Port 80 to setup the certs ?

Will access to Vera through the MIOS tunnels also be protected by the same certs ?


Offline Da_JoJo

  • Hero Member
  • *****
  • Posts: 1380
  • Karma: +16/-78
  • If something aint work, we can allways try n make
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #31 on: September 09, 2013, 01:02:33 am »
thats a good start to tighten security.. but by UPnP you mean the raw UPnP (noted by guessed being unusable) or the port 3480 ?
the mios tunnels are going over a ssh connection from what i read.
the problem is this port 3480 which allows on local net a command for opening a lock and the url that gets one the ip for vera.
there is a number of remote programs users made that use the port 3480 so what is going to happen to this ?
Vera lite (1.5.622), 2x an-158/2, dead usb pl2302 rs-232, 2x greenwave 6 port, 4x Fibaro FGD211 v1.6, FGBS001, few FGS - 221, etc. AuthomationHD 3 for android :-)
Dutch & German translator http://wiki.micasaverde.com/index.php/Special:AllPages http://support.micasaverde.com http://domotica-shop.nl

Offline RichardTSchaefer

  • Community Beta
  • Master Member
  • ******
  • Posts: 10091
  • Karma: +764/-143
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #32 on: September 09, 2013, 06:52:25 am »
@Da_JoJo
There have been claims that Vera is open (from a security perspective) in order to support the uPnP protocol.
It may have been a design goal for Vera ... In fact the name of main app is called LuaUPnP because of this. But I did not know of any actual users of the uPnP protocol. Mostly confirmed by guessed and MCV.

As a result MCV appears to be planning to secure the access to Port 3480 (and as guessed indicated port  49451). LuaUPnP would only listen on localhost. Any application that sits on Vera could access the LuaPNP application with a local connection. Remote access would be by the Light HTTPD daemon and would be available by making the following changes to the existing interface.

Change:   http://Vera.IP.LAN.Address:3480/...
To:          http://Vera.IP.LAN.Address/port_3480/...

I assume if they leave Port 80 open they may also allow access to Vera.IP.LAN.Address port 3480. This would provide a transition period for remote apps to upgrade their apps.

When they disable port 80 and Vera.IP.LAN.Address port 3480, 49451 then you will have to access via https (port 443) and present an authenticated user certificate.
« Last Edit: September 09, 2013, 07:07:11 am by RichardTSchaefer »

Offline Da_JoJo

  • Hero Member
  • *****
  • Posts: 1380
  • Karma: +16/-78
  • If something aint work, we can allways try n make
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #33 on: September 11, 2013, 10:55:52 am »
sounds like a good plan.
it would also be nice if they change that to : https://VeraLocalLanIP/serial/loginname/password/port_3480/
and the network neighbourhood device now called: Mios serial  to Vera 2/3/lite serial
and change the presentation url from: http://192.168.1.5:49451/URL%20for%20presentation  to https://VeraLocalLanIP
fixing the UPnP device presentation to other devices on lan. making the rest of the UPnP control internal and as noted proxied to localhost.
Vera lite (1.5.622), 2x an-158/2, dead usb pl2302 rs-232, 2x greenwave 6 port, 4x Fibaro FGD211 v1.6, FGBS001, few FGS - 221, etc. AuthomationHD 3 for android :-)
Dutch & German translator http://wiki.micasaverde.com/index.php/Special:AllPages http://support.micasaverde.com http://domotica-shop.nl

Offline dcrowley

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-1
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #34 on: September 13, 2013, 06:43:56 pm »
so what u say is that SSL (which can also be hacked and is a pain in the behind for most users who get scared when a warning page comes up) is a solution.

SSL/TLS is rather broken and especially with the NSA spying revelations that have come out as of late, the entire security community is abuzz trying to figure out how to fix it (or how it is broken). There is a large body of study on SSL/TLS weaknesses, but it's about the best that can reasonably be done without significant re-architecture of the VeraLite.

As I said previously, there is no perfect security. Doesn't exist. Everything is vulnerable; security engineering and architecture is just about increasing the time, effort, and resources needed for an attack to be successful. I highly doubt that you are sitting in front of your computer in full-body kevlar armor to keep yourself safe from bullets. Neither am I! This makes us both vulnerable to bullets. If we were sitting in front of our computers in full kevlar armor, we would still be vulnerable to explosives. However, I don't know about you, but I don't work for SWAT or live in Syria, so I've decided it's not worth it for me to wear kevlar armor. That stuff is HEAVY and not very fashionable. The benefits I get from not wearing kevlar armor outweigh the risk of potentially being shot.

Offline Da_JoJo

  • Hero Member
  • *****
  • Posts: 1380
  • Karma: +16/-78
  • If something aint work, we can allways try n make
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #35 on: September 13, 2013, 08:23:36 pm »
@dcrowley
wouldnt it be better to use TLS1.0 with 4096bit key as this is a little more secure then SSL and all browsers can handle it and would take the time needed to hack it to the maximum archievable within reason. Also the option to have, like the remote to vera, the login to UPnP like this : https://vera-ip/username/pass/serial/data_request?...
the NSA got help from the designers of system-security and several security experts as well as social-engineering opening every possible hole there is in security and this cannot be closed by any existing security methods. also dns structure is so that there is considerable lack of security, if you have the right key then one could compromise it and even take over the ownership of the domain, which would be a huge pain in the behind.
i get the point of securing it so that it would make a big hurdle to take for exposing the inner layers of the vera and keeping it userfriendly. im sure if someone wants to hold a gun against my head to get the password, the security is not neccesary anymore then as there in allready. i do not have a fortified bunker and so dont the common user lol. the thing is to make it so to speak "the frontdoor isnt wide-open for intruders/mailicous scripts". in my opinion it would be great addition to vera if the UPnP port 3480/49451 is protected like the online version of it mentioned above here.
Vera lite (1.5.622), 2x an-158/2, dead usb pl2302 rs-232, 2x greenwave 6 port, 4x Fibaro FGD211 v1.6, FGBS001, few FGS - 221, etc. AuthomationHD 3 for android :-)
Dutch & German translator http://wiki.micasaverde.com/index.php/Special:AllPages http://support.micasaverde.com http://domotica-shop.nl

Offline dcrowley

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-1
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #36 on: September 14, 2013, 12:10:10 am »
@dcrowley
wouldnt it be better to use TLS1.0 with 4096bit key as this is a little more secure then SSL and all browsers can handle it and would take the time needed to hack it to the maximum archievable within reason.

Sorry, yes, SSL and TLS are often used interchangeably and a lot of people don't know what I'm talking about when I say "TLS" so I just go with "SSL". Anyway, the breaks in modern versions of TLS require very specific conditions, like the ability to send tens of thousands of requests as the user, where some part of the request is reflected in the response and the response is also compressed. Pretty specific scenarios. So to say that modern versions of TLS are "easily hackable" isn't quite right. Hackable, maybe. As we know, so is everything. To be fair, breaking TLS usually isn't the easy way in.

Quote
Also the option to have, like the remote to vera, the login to UPnP like this : https://vera-ip/username/pass/serial/data_request?...

I like this idea. My only issue with this is that the username and password are passed in a URL. Not a great idea because this sort of information ends up in web logs, proxy logs, browser history, etc.

Quote
in my opinion it would be great addition to vera if the UPnP port 3480/49451 is protected like the online version of it mentioned above here.

I agree. I only learned of port 3480 after releasing the advisory mentioned in the OP. Trustwave has contacted MCV privately about it, but I suppose the cat's out of the bag now that it's been mentioned in a public forum by someone else. If I could get only one thing changed, it would be this. An img tag is enough to do nasty things with this as it is currently:

<img src="http://VERA_IP:3480/NASTY_RUNLUA_CALL_HERE">

Get someone on the same network as a VeraLite to visit a webpage with one of these for each common home IP address (192.168.1.1-256,192.168.0.1-256) and their browser will happily attempt to run the command against each IP until it runs out of "images" to load.

EDIT: fix for typos 9/13 11:11pm
« Last Edit: September 14, 2013, 12:12:05 am by dcrowley »

Offline Da_JoJo

  • Hero Member
  • *****
  • Posts: 1380
  • Karma: +16/-78
  • If something aint work, we can allways try n make
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #37 on: September 14, 2013, 08:53:20 am »
yup thats what i tried to tell... some php or javascript running a loop would be too easy to script and screw up the system. if this was run on the same browser that has the SSL/TLS cert opening this page in a popup/iframe window then it wont make a difference this whole SSL stuff, correct me if im wrong.

perhaps its not a great idea but it would only stay in the local pc browsers history. could set the page on vera which handles the request to not store local cache. and over a TLS connection it would be better then no login. perhaps a key generated with time/login/pass in it would work, but it would break the system for having the easy way of controlling a device with a simple link. so i guess its a compromise.
Vera lite (1.5.622), 2x an-158/2, dead usb pl2302 rs-232, 2x greenwave 6 port, 4x Fibaro FGD211 v1.6, FGBS001, few FGS - 221, etc. AuthomationHD 3 for android :-)
Dutch & German translator http://wiki.micasaverde.com/index.php/Special:AllPages http://support.micasaverde.com http://domotica-shop.nl

Offline dcrowley

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-1
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #38 on: September 15, 2013, 02:47:49 pm »
yup thats what i tried to tell... some php or javascript running a loop would be too easy to script and screw up the system. if this was run on the same browser that has the SSL/TLS cert opening this page in a popup/iframe window then it wont make a difference this whole SSL stuff, correct me if im wrong.

A client SSL/TLS cert can authenticate, but does not protect against tricking a user into submitting a request.

Offline Da_JoJo

  • Hero Member
  • *****
  • Posts: 1380
  • Karma: +16/-78
  • If something aint work, we can allways try n make
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #39 on: September 15, 2013, 05:56:52 pm »
hence the idea of protecting the submitted request with a key or login.. unless someone has a better idea, i would opt for this construction.
Vera lite (1.5.622), 2x an-158/2, dead usb pl2302 rs-232, 2x greenwave 6 port, 4x Fibaro FGD211 v1.6, FGBS001, few FGS - 221, etc. AuthomationHD 3 for android :-)
Dutch & German translator http://wiki.micasaverde.com/index.php/Special:AllPages http://support.micasaverde.com http://domotica-shop.nl

Offline fraga

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #40 on: September 16, 2013, 05:49:06 am »
Hello,

I'm about to buy a vera light to start a small system at home, but before doing so I would like to make sure I could secure it without any side effects on the features.
I would like to start to implement TLS/SSL on the web interface.
First question, do you have any ETA to have this feature outside the box ? (I understand this is something planned)

In the meantime, can I do it myself by tuning lighthttpd.conf and use openssl to generate my own self signed certificates ?
Otherwise, do some of you use a front reverse proxy with ssl termination to allow access to the vera ?
I have no knowledge related to Upnp so I will look at this once I have everything in my hand. However, it could be a good idea to upgrade libupnp to the latest version.

Thank you in advance for your feedback.
Maxime

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3260
  • Karma: +192/-9
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #41 on: September 16, 2013, 06:41:15 am »
I'm about to buy a vera light to start a small system at home,

A note on forum etiquette: your post will be seen as trying to hijack an existing thread with a different topic. If you want more or better answers, start a new thread.

The best answers to your questions can already be found on the forum. You can probably convince lighttpd to use a self-signed certificate. That won't protect you from port 3480 exploits. Several of us have set up VPNs for secure remote access. This works. There are no howtos for doing any of this. You will need to use existing forum posts, your own knowledge, and the goodwill of other forum members to get what you want.

Offline Da_JoJo

  • Hero Member
  • *****
  • Posts: 1380
  • Karma: +16/-78
  • If something aint work, we can allways try n make
Re: Fixes for vulns in recent advisory - Community feedback wanted
« Reply #42 on: September 16, 2013, 11:03:06 am »
upgrade to latest libupnp is not much of use in this particular case. and like futzle noted: do not hijack threads.. there is a beginners-section on the forum, mostly consist of reading and searching. once you get to the point of being familiar with the system you could opt some good points here which might be usefull. the points stated obviously aren't.
Vera lite (1.5.622), 2x an-158/2, dead usb pl2302 rs-232, 2x greenwave 6 port, 4x Fibaro FGD211 v1.6, FGBS001, few FGS - 221, etc. AuthomationHD 3 for android :-)
Dutch & German translator http://wiki.micasaverde.com/index.php/Special:AllPages http://support.micasaverde.com http://domotica-shop.nl