Re: CONTENT DECISION: Content Decisions for "Password Selection" problems
On Fri, Jul 16, 1999 at 12:52:30PM -0400, Steven M. Christey wrote:
| Adam Shostack asked:
| >So, when there is a secret default password, thats already covered
| >under an existing CVE?
| >Eg., on the 3Com Corebuilder 6000/2500 "debug/synnet" works to get you
| >in. Similarly, the Sun "all private" snmp community.
| >Do these get rated as default passwords? (I'm happy with a yes, but
| >its a suprising decision)
| I think that hidden passwords, e.g. the SNMP "backdoor" community
| names, are a different beast. I'm not sure about 3com Corebuilder -
| was that a "backdoor" password that they never advertised to the end
| I think it is a reasonable distinction to make between "unannounced"
| defaults and "announced" defaults. For consistency, assuming we adopt
| the "default passwords are high cardinality" content decision, then
| I'd want to apply the same rule to "backdoor" defaults.
I see that as a reasonable distinction.
| I definitely see a distinction between these types of default
| passwords and the Netcache bug where the SNMP default name "public"
| wouldn't be removed, even if the admin told it to. That's a software
| flaw, not a configuration problem.