[oe] [meta-networking][PATCH] net-snmp: update default community string

[Trevor Gamblin]

snmpd.conf, by default, lists the string "public" as the community string. As
a consequence, any build incorporating net-snmp implicitly enables a
vulnerability (CVE-1999-0517) where an attacker could obtain information about
(and potential control of) the device and its network. This issue is picked up
by common security scan tools, and given the age of the vulnerability, some
minimum mitigation steps should be taken. While the conf file itself
recommends setting the community string to a value known only within the
user's organization, changing this string's default value for Yocto builds is
a minimum step to help mitigate this issue. Superior solutions that can be
implemented by the end developer/user include replacing the default community
string with a complex string unique to the network and/or filtering
UDP packets on the appropriate ports.

There's no formal fix for the above CVE, so I've avoided labeling this as if
it were a CVE fix. Also note that if you want to test this to check the change,
net-snmp-server needs to be included in the build (not just net-snmp).

More info can be found at https://www.tenable.com/plugins/nessus/41028.

Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
---
 meta-networking/recipes-protocols/net-snmp/files/snmpd.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-networking/recipes-protocols/net-snmp/files/snmpd.conf b/meta-networking/recipes-protocols/net-snmp/files/snmpd.conf
index 728171c42..5a5c40bb0 100644
--- a/meta-networking/recipes-protocols/net-snmp/files/snmpd.conf
+++ b/meta-networking/recipes-protocols/net-snmp/files/snmpd.conf
@@ -58,7 +58,7 @@
 # from):
 
 #       sec.name  source          community
-com2sec paranoid  default         public
+com2sec paranoid  default         yocto-snmp-community
 #com2sec readonly  default         public
 #com2sec readwrite default         private
 
-- 
2.23.0