snmpd.conf, by default, lists the string "public" as the community string. As a consequence, any build incorporating net-snmp implicitly enables a vulnerability (CVE-1999-0517) where an attacker could obtain information about (and potential control of) the device and its network. This issue is picked up by common security scan tools, and given the age of the vulnerability, some minimum mitigation steps should be taken. While the conf file itself recommends setting the community string to a value known only within the user's organization, changing this string's default value for Yocto builds is a minimum step to help mitigate this issue. Superior solutions that can be implemented by the end developer/user include replacing the default community string with a complex string unique to the network and/or filtering UDP packets on the appropriate ports.
There's no formal fix for the above CVE, so I've avoided labeling this as if it were a CVE fix. Also note that if you want to test this to check the change, net-snmp-server needs to be included in the build (not just net-snmp). More info can be found at https://www.tenable.com/plugins/nessus/41028. Signed-off-by: Trevor Gamblin <[email protected]> --- meta-networking/recipes-protocols/net-snmp/files/snmpd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-networking/recipes-protocols/net-snmp/files/snmpd.conf b/meta-networking/recipes-protocols/net-snmp/files/snmpd.conf index 728171c42..5a5c40bb0 100644 --- a/meta-networking/recipes-protocols/net-snmp/files/snmpd.conf +++ b/meta-networking/recipes-protocols/net-snmp/files/snmpd.conf @@ -58,7 +58,7 @@ # from): # sec.name source community -com2sec paranoid default public +com2sec paranoid default yocto-snmp-community #com2sec readonly default public #com2sec readwrite default private -- 2.23.0 -- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
