[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CONTENT DECISION: Content Decisions for "Password Selection" problems

Aleph One said:

>If we follow the logic we did during our meeting at Black Hats then
>each distinct non-announced account/password should be a separate CVE
>entry. If I am using a scanner I want to know whether it knows about
>the specific 3com backdoor, not whether its knowns about backdoors in
>some general sense. Ditto for default passwords.

While there was agreement between you and Adam, I need to keep my
promise not to be overly swayed by what was discussed at that meeting,
including this particular issue.

Let's separate non-announced accounts/passwords from "announced"
default passwords.

Assuming that announced default passwords are a high cardinality
issue, is "default password" at the same "class" level as, say,
"buffer overflow" or "race condition"?  If so, then that's an argument
for having separate entries for announced default passwords.  I agree
that from a scanner perspective, you want to know what specific
default passwords it tests for.  However, as Adam has indicated in the
past, it's also reasonable for a scanner to announce that it checks
for "X *instances* of CVE vulnerability V," where the instances are at
a lower level of abstraction of the CVE.

- Steve
Page Last Updated or Reviewed: May 22, 2007