On Tue, Dec 17, 2019 at 7:14 PM Adrian Bunk <[email protected]> wrote: > > On Tue, Dec 17, 2019 at 08:11:13PM -0500, Trevor Gamblin wrote: > > snmpd.conf, by default, lists the string "public" as the community string. > > As > > a consequence, any build incorporating net-snmp implicitly enables a > > vulnerability (CVE-1999-0517) where an attacker could obtain information > > about > > (and potential control of) the device and its network. This issue is picked > > up > > by common security scan tools, and given the age of the vulnerability, some > > minimum mitigation steps should be taken. While the conf file itself > > recommends setting the community string to a value known only within the > > user's organization, changing this string's default value for Yocto builds > > is > > a minimum step to help mitigate this issue. > >... > > -com2sec paranoid default public > > +com2sec paranoid default yocto-snmp-community > >... > > Instead of mitigation this might do more bad than good. > > Attackers and security scan tools will just start to also > scan for the known alternative "yocto-snmp-community". > > The problem is that attackers tend to be faster with that, > so the actual change would be that security scan tools might > no longer report a vulnerability attackers will still use. >
I tend to agree. Perhaps describe mitigation in wiki and let users chose a string of their choice and let defaults be as they are. > cu > Adrian > -- > _______________________________________________ > Openembedded-devel mailing list > [email protected] > http://lists.openembedded.org/mailman/listinfo/openembedded-devel -- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
