On Tue, Dec 17, 2019 at 08:11:13PM -0500, Trevor Gamblin wrote: > snmpd.conf, by default, lists the string "public" as the community string. As > a consequence, any build incorporating net-snmp implicitly enables a > vulnerability (CVE-1999-0517) where an attacker could obtain information about > (and potential control of) the device and its network. This issue is picked up > by common security scan tools, and given the age of the vulnerability, some > minimum mitigation steps should be taken. While the conf file itself > recommends setting the community string to a value known only within the > user's organization, changing this string's default value for Yocto builds is > a minimum step to help mitigate this issue. >... > -com2sec paranoid default public > +com2sec paranoid default yocto-snmp-community >...
Instead of mitigation this might do more bad than good. Attackers and security scan tools will just start to also scan for the known alternative "yocto-snmp-community". The problem is that attackers tend to be faster with that, so the actual change would be that security scan tools might no longer report a vulnerability attackers will still use. cu Adrian -- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
