Re: CONTENT DECISION: Content Decisions for "Password Selection" problems
Adam Shostack asked:
>So, when there is a secret default password, thats already covered
>under an existing CVE?
>Eg., on the 3Com Corebuilder 6000/2500 "debug/synnet" works to get you
>in. Similarly, the Sun "all private" snmp community.
>Do these get rated as default passwords? (I'm happy with a yes, but
>its a suprising decision)
I think that hidden passwords, e.g. the SNMP "backdoor" community
names, are a different beast. I'm not sure about 3com Corebuilder -
was that a "backdoor" password that they never advertised to the end
I think it is a reasonable distinction to make between "unannounced"
defaults and "announced" defaults. For consistency, assuming we adopt
the "default passwords are high cardinality" content decision, then
I'd want to apply the same rule to "backdoor" defaults.
I definitely see a distinction between these types of default
passwords and the Netcache bug where the SNMP default name "public"
wouldn't be removed, even if the admin told it to. That's a software
flaw, not a configuration problem.