On 12/17/19 10:17 PM, Khem Raj wrote:
On Tue, Dec 17, 2019 at 7:14 PM Adrian Bunk <[email protected]> wrote:
On Tue, Dec 17, 2019 at 08:11:13PM -0500, Trevor Gamblin wrote:
snmpd.conf, by default, lists the string "public" as the community string. As
a consequence, any build incorporating net-snmp implicitly enables a
vulnerability (CVE-1999-0517) where an attacker could obtain information about
(and potential control of) the device and its network. This issue is picked up
by common security scan tools, and given the age of the vulnerability, some
minimum mitigation steps should be taken. While the conf file itself
recommends setting the community string to a value known only within the
user's organization, changing this string's default value for Yocto builds is
a minimum step to help mitigate this issue.
...
-com2sec paranoid default public
+com2sec paranoid default yocto-snmp-community
...
Instead of mitigation this might do more bad than good.
Attackers and security scan tools will just start to also
scan for the known alternative "yocto-snmp-community".
The problem is that attackers tend to be faster with that,
so the actual change would be that security scan tools might
no longer report a vulnerability attackers will still use.
I tend to agree. Perhaps describe mitigation in wiki and let users
chose a string of their choice
and let defaults be as they are.
Those are good points. Thanks for reviewing.
cu
Adrian
--
_______________________________________________
Openembedded-devel mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
--
_______________________________________________
Openembedded-devel mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
