[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CONTENT DECISION: Content Decisions for "Password Selection" problems

On Fri, Jul 16, 1999 at 12:52:30PM -0400, Steven M. Christey wrote:
> Adam Shostack asked:
> >So, when there is a secret default password, thats already covered
> >under an existing CVE?
> >
> >Eg., on the 3Com Corebuilder 6000/2500 "debug/synnet" works to get you
> >in.  Similarly, the Sun "all private" snmp community.
> >
> >Do these get rated as default passwords?  (I'm happy with a yes, but
> >its a suprising decision)
> I think that hidden passwords, e.g. the SNMP "backdoor" community
> names, are a different beast.  I'm not sure about 3com Corebuilder -
> was that a "backdoor" password that they never advertised to the end
> user?
> I think it is a reasonable distinction to make between "unannounced"
> defaults and "announced" defaults.  For consistency, assuming we adopt
> the "default passwords are high cardinality" content decision, then
> I'd want to apply the same rule to "backdoor" defaults.
> I definitely see a distinction between these types of default
> passwords and the Netcache bug where the SNMP default name "public"
> wouldn't be removed, even if the admin told it to.  That's a software
> flaw, not a configuration problem.

If we follow the logic we did during our meeting at Black Hats
then each distinct non-announced account/password should be a
separate CVE entry. If I am using a scanner I want to know whether
it knows about the specific 3com backdoor, not whether its knowns
about backdoors in some general sense. Ditto for default passwords.

> - Steve

Aleph One / aleph1@underground.org
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01 

Page Last Updated or Reviewed: May 22, 2007