|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: CONTENT DECISION: Content Decisions for "Password Selection" problems
On Fri, Jul 16, 1999 at 12:52:30PM -0400, Steven M. Christey wrote: | Adam Shostack asked: | | >So, when there is a secret default password, thats already covered | >under an existing CVE? | > | >Eg., on the 3Com Corebuilder 6000/2500 "debug/synnet" works to get you | >in. Similarly, the Sun "all private" snmp community. | > | >Do these get rated as default passwords? (I'm happy with a yes, but | >its a suprising decision) | | I think that hidden passwords, e.g. the SNMP "backdoor" community | names, are a different beast. I'm not sure about 3com Corebuilder - | was that a "backdoor" password that they never advertised to the end | user? Yes. http://www.3com.com/news/advisory51498.html | I think it is a reasonable distinction to make between "unannounced" | defaults and "announced" defaults. For consistency, assuming we adopt | the "default passwords are high cardinality" content decision, then | I'd want to apply the same rule to "backdoor" defaults. I see that as a reasonable distinction. | I definitely see a distinction between these types of default | passwords and the Netcache bug where the SNMP default name "public" | wouldn't be removed, even if the admin told it to. That's a software | flaw, not a configuration problem. Agreed Adam
|
||||
