resinOS vulnerability management


#1

As an organization thinking about deploying Resin-based devices, how should I be thinking about vulnerability management for Resin-based systems? Managing vulnerabilities in my application code is straightforward; just push an update. However, I’m not sure how to address vulnerabilities in on the host (e.g., related to Linux kernel, dnsmasq). Specifically, I’ve observed the use of the v4.4.50 Linux kernel, dnsmasq v2.75, openssl v1.0.2g, etc. on the RPi3 resinOS image. The possible presence of serious year+ old vulnerabilities is concerning. What will Resin patch and what is the SLA? Do I need to build my own resinOS if I want more control over patching/updating?


#2

Hi, we are taking vulnerabilities very seriously, and resinOS host OS updates are a core to our commitment of keeping your devices secure (see for example Beta testers: resinOS 2.x updates! ) Self-service updates are coming very soon, and the recent disclosures accelerated that process as well, to make sure everyone can be covered properly.

For dnsmasq, the recent announcement affecting wpa_supplicant, etc, are being applied to meta-resin, which is the repository from where resinOS is created. Those fixes should be in the next release of resinOS.

We are building a more transparent process of tracking CVE’s and other disclosures, so it can be easier to see what’s affected and what’s not affected. There’s a security whitepaper coming out soon too, that has more information to clarify stance and show our designs and the decisions that went into those designs.

Having said all that, resinOS is open source, so both you building your own (not having to, but have a choice to do), or sending patches are very welcome.

Is this a good start of this conversation? Please do not hesitate to let us know any issues or queries you have about security or otherwise.


#3

Hi Gergely,
Thanks for your reply. I appreciate Resin’s focus on security and am happy with much of what I’ve seen so far.

Could you provide additional detail regarding the timeline (e.g. by end of 2017, Q1 2018) for OS updates, self-service updates, vulnerability tracking, and the security white paper? Or when more information might be available :slight_smile: The Github milestone linked from the resinos.io page shows that the milestone is 57% complete and 9 months overdue.

v/r
Eric


#4

Hello @esmyth,

We’ve just published our security white paper as a page in our documentation. We will keep this updated with the latest on our security features. Feel free to submit an issue with the label security if there is anything you feel is missing.

We’ve also just released self-service updates for 1.x to 2.x and between 2.x versions of resinOS.