IETF Logo Mail Archive

Re: [OPSAWG] Secdir early review of draft-ietf-opsawg-sbom-access-09

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 30 September 2022 09:47 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66331C157B37; Fri, 30 Sep 2022 02:47:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A-0NvbWEM16n; Fri, 30 Sep 2022 02:47:24 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92FC3C157B34; Fri, 30 Sep 2022 02:47:23 -0700 (PDT)
Received: from dooku.sandelman.ca (host-87-4-189-54.retail.telecomitalia.it [87.4.189.54]) by relay.sandelman.ca (Postfix) with ESMTPS id E66661F455; Fri, 30 Sep 2022 09:47:20 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 462B81A0753; Fri, 30 Sep 2022 11:47:20 +0200 (CEST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Christian Huitema <huitema@huitema.net>, Eliot Lear <lear@lear.ch>, secdir@ietf.org, draft-ietf-opsawg-sbom-access.all@ietf.org, opsawg@ietf.org
In-reply-to: <c743a72d-eb57-0bfa-ea5d-1771968235c7@huitema.net>
References: <166328140919.4880.9689644222672528524@ietfa.amsl.com> <8e421ec6-7489-8b1c-29c3-64618730f402@lear.ch> <18cf1d1d-508b-ae85-72a1-f7f0454a75f7@lear.ch> <c743a72d-eb57-0bfa-ea5d-1771968235c7@huitema.net>
Comments: In-reply-to Christian Huitema <huitema@huitema.net> message dated "Thu, 29 Sep 2022 09:53:25 -0700."
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 27.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 30 Sep 2022 11:47:20 +0200
Message-ID: <618726.1664531240@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/Ymr13-0n07fC53dLWd-n5TGvzaw>
Subject: Re: [OPSAWG] Secdir early review of draft-ietf-opsawg-sbom-access-09
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2022 09:47:28 -0000

Christian Huitema <huitema@huitema.net> wrote:
    > 2) I am not concerned about the disclosure of software vulnerabilities
    > per software versions, but I am still concerned about the inventory of
    > devices. Especially if there is an easy way to query devices and find
    > what software version they are running. Attackers are going to love an
    > automated way to find out which devices run what vulnerable version.

Let's remember that this is an extension to *MUD* (RFC8520) to embed an SBOM pointer.

So in order for a passive attacker to see the pointer, they have *already*
seen the pointer to the MUD.   To date, MUD doesn't specify a way to load the
MUD from the device itself without embedding the IP of the device in the URL.
( https://datatracker.ietf.org/doc/html/draft-jimenez-t2trg-mud-coap-00
proposed a self-reference though)

If the MUD file is version of firmware specific,
  see: https://www.ietf.org/archive/id/draft-ietf-opsawg-mud-acceptable-urls-05.html#name-updating-the-mud-files-in-p
  for a discussion of when/how one might change the *MUD* URL when the firmware
  changes)

then the attacker does not even need to read the SBOM, or have one
present, to know what software version the device is running!

If the SBOM is self-hosted, then the device gets to answer correctly about
its versioned SBOM.  If the SBOM is hosted by the vendor, then the URL in the
MUD will need to change when the version changes, and this might mean that
the MUD URL also has to change.

So what I'm really saying is that the ship has already sailed with RFC8520.
An attacker really does not need the SBOM to find out what MUD capable
devices are present, and potentially which versions of firmware they are running.

It's not trivial to get the MUD URL out of a device though.  You can't really
just knock.  LLDP is pretty hard to do unless you are directly connected at
L2 as the switch, but I suppose it might be possible to get it over WiFi.
(I never tried)
The MUD URL shows up in DHCP requests, and they can be observed when they are broadcast.
The IDevID location for MUD URLs is usually only present by observing some
TLS (1.2) handshake, perhaps as part of BRSKI.

In summary, getting an automated way to find out which devices are vulnerable
to attack is going to help the defenders far more than it helps the
attackers.

But, I did agree that unconfigured devices which have not been onboarded with
an administrative credential should not answer queries about their SBOM.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email