[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CONTENT DECISION: Content Decisions for "Password Selection" problems

Adam Shostack asked:

>So, when there is a secret default password, thats already covered
>under an existing CVE?
>
>Eg., on the 3Com Corebuilder 6000/2500 "debug/synnet" works to get you
>in.  Similarly, the Sun "all private" snmp community.
>
>Do these get rated as default passwords?  (I'm happy with a yes, but
>its a suprising decision)

I think that hidden passwords, e.g. the SNMP "backdoor" community
names, are a different beast.  I'm not sure about 3com Corebuilder -
was that a "backdoor" password that they never advertised to the end
user?

I think it is a reasonable distinction to make between "unannounced"
defaults and "announced" defaults.  For consistency, assuming we adopt
the "default passwords are high cardinality" content decision, then
I'd want to apply the same rule to "backdoor" defaults.

I definitely see a distinction between these types of default
passwords and the Netcache bug where the SNMP default name "public"
wouldn't be removed, even if the admin told it to.  That's a software
flaw, not a configuration problem.

- Steve
Page Last Updated or Reviewed: May 22, 2007