Re: CONTENT DECISION: Content Decisions for "Password Selection" problems
On Fri, Jul 16, 1999 at 12:52:30PM -0400, Steven M. Christey wrote:
> Adam Shostack asked:
> >So, when there is a secret default password, thats already covered
> >under an existing CVE?
> >Eg., on the 3Com Corebuilder 6000/2500 "debug/synnet" works to get you
> >in. Similarly, the Sun "all private" snmp community.
> >Do these get rated as default passwords? (I'm happy with a yes, but
> >its a suprising decision)
> I think that hidden passwords, e.g. the SNMP "backdoor" community
> names, are a different beast. I'm not sure about 3com Corebuilder -
> was that a "backdoor" password that they never advertised to the end
> I think it is a reasonable distinction to make between "unannounced"
> defaults and "announced" defaults. For consistency, assuming we adopt
> the "default passwords are high cardinality" content decision, then
> I'd want to apply the same rule to "backdoor" defaults.
> I definitely see a distinction between these types of default
> passwords and the Netcache bug where the SNMP default name "public"
> wouldn't be removed, even if the admin told it to. That's a software
> flaw, not a configuration problem.
If we follow the logic we did during our meeting at Black Hats
then each distinct non-announced account/password should be a
separate CVE entry. If I am using a scanner I want to know whether
it knows about the specific 3com backdoor, not whether its knowns
about backdoors in some general sense. Ditto for default passwords.
> - Steve
Aleph One / email@example.com
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01