|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: assignment question
- To: Art Manion <amanion@cert.org>
- Subject: Re: assignment question
- From: Kurt Seifried <kurt@seifried.org>
- Date: Tue, 11 Dec 2018 18:25:41 -0700
- Authentication-results: spf=softfail (sender IP is 198.49.146.235) smtp.mailfrom=seifried.org; lists.mitre.org; dkim=pass (signature was verified) header.d=seifried-org.20150623.gappssmtp.com;lists.mitre.org; dmarc=none action=none header.from=seifried.org;
- Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Wed Dec 12 07:40:28 2018
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seifried-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=D0kBNM6u3poLkRk3py6SJZGD2BR/NGl/509bKCrgj3g=; b=QqUc8CvjZ8Y/0h+8Hew93RRmoB/5HoX+DvGUoKM7td3/LYQeTDWFm1ydnw5NmC9V5S cfH4RYdQZ5yyuXelNSnvt7lDHh4NshTZG+4WMeZEp2+fhw7v6dN8fbbzNwBkC6dASLet JntBCjk1LWpR9Mb3Ve4KDlp02nttUxMFumgUNld+5Og2e9qPgA65ht+Uljd1UWiX7DKO xAsWpzQz9JE1CQDDPcJWJeRhab4NklGYsqKObTMPQ71cgg7vKG0yrQPFq0hC27oHCFaA fXnBqheV4CSrFRvcFdSdyEVSDIVtKF5Z8K3Tbyf+PJp/OLdv3EcpdIwK3dEg0aqTpxaI CoBQ==
- In-reply-to: <1d6e44a8-652a-a6dc-a5f1-a6b3841145b7@cert.org>
- References: <1d6e44a8-652a-a6dc-a5f1-a6b3841145b7@cert.org>
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
On Tue, Dec 11, 2018 at 5:43 PM Art Manion <amanion@cert.org> wrote:
There is some software, part of the installation is a web server/application. On initial install, the web application is configured with a default password. Upon first login, the user is required to change the password, create new accounts(s), along with other first-time setup configuration activities.
IOW, if I obtain and install this software and walk away before completing the first-time setup, I've left myself exposed.
Can you set a password in some other way (e.g. feeding it a configuration option/file)? If yes, then you have a safe way to do this. If not I'd say it's CVE worthy. Precent: FreeNAS CVE-2014-5334
This is *barely* a vulnerability in my book, assuming there are sufficient warnings and documentation informing the user about the need to run the first-time setup.
CVE or no CVE?
In my book, if you CAN do it safely, but pick an unsafe route, no CVE, but if you have no safe route to take, you win a CVE.
Thanks,
- Art
My answer is a weak "yes" with as low a severity/priority as possible.
Kurt Seifried
kurt@seifried.org
kurt@seifried.org
- References:
- assignment question
- From: Art Manion <amanion@cert.org>
- assignment question
- Prev by Date: assignment question
- Next by Date: Re: So some blindspots that came up as a result of CVE for service discussion
- Previous by thread: assignment question
- Next by thread: MD5 is dead?
- Index(es):