Re: CONTENT DECISION: Content Decisions for "Password Selection" problems

[Adam Shostack <adam@netect.com>]

On Fri, Jul 16, 1999 at 12:52:30PM -0400, Steven M. Christey wrote:
| Adam Shostack asked:
| 
| >So, when there is a secret default password, thats already covered
| >under an existing CVE?
| >
| >Eg., on the 3Com Corebuilder 6000/2500 "debug/synnet" works to get you
| >in.  Similarly, the Sun "all private" snmp community.
| >
| >Do these get rated as default passwords?  (I'm happy with a yes, but
| >its a suprising decision)
| 
| I think that hidden passwords, e.g. the SNMP "backdoor" community
| names, are a different beast.  I'm not sure about 3com Corebuilder -
| was that a "backdoor" password that they never advertised to the end
| user?

Yes.  http://www.3com.com/news/advisory51498.html

| I think it is a reasonable distinction to make between "unannounced"
| defaults and "announced" defaults.  For consistency, assuming we adopt
| the "default passwords are high cardinality" content decision, then
| I'd want to apply the same rule to "backdoor" defaults.

I see that as a reasonable distinction.

| I definitely see a distinction between these types of default
| passwords and the Netcache bug where the SNMP default name "public"
| wouldn't be removed, even if the admin told it to.  That's a software
| flaw, not a configuration problem.

Agreed

Adam