|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: CONTENT DECISION: Content Decisions for "Password Selection" problems
On Fri, Jul 16, 1999 at 12:52:30PM -0400, Steven M. Christey wrote: > Adam Shostack asked: > > >So, when there is a secret default password, thats already covered > >under an existing CVE? > > > >Eg., on the 3Com Corebuilder 6000/2500 "debug/synnet" works to get you > >in. Similarly, the Sun "all private" snmp community. > > > >Do these get rated as default passwords? (I'm happy with a yes, but > >its a suprising decision) > > I think that hidden passwords, e.g. the SNMP "backdoor" community > names, are a different beast. I'm not sure about 3com Corebuilder - > was that a "backdoor" password that they never advertised to the end > user? > > I think it is a reasonable distinction to make between "unannounced" > defaults and "announced" defaults. For consistency, assuming we adopt > the "default passwords are high cardinality" content decision, then > I'd want to apply the same rule to "backdoor" defaults. > > I definitely see a distinction between these types of default > passwords and the Netcache bug where the SNMP default name "public" > wouldn't be removed, even if the admin told it to. That's a software > flaw, not a configuration problem. If we follow the logic we did during our meeting at Black Hats then each distinct non-announced account/password should be a separate CVE entry. If I am using a scanner I want to know whether it knows about the specific 3com backdoor, not whether its knowns about backdoors in some general sense. Ditto for default passwords. > > - Steve > -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
|
||||
