[oe] [meta-networking][PATCH] net-snmp: update default community string
Adrian Bunk
bunk at stusta.de
Wed Dec 18 03:14:09 UTC 2019
On Tue, Dec 17, 2019 at 08:11:13PM -0500, Trevor Gamblin wrote:
> snmpd.conf, by default, lists the string "public" as the community string. As
> a consequence, any build incorporating net-snmp implicitly enables a
> vulnerability (CVE-1999-0517) where an attacker could obtain information about
> (and potential control of) the device and its network. This issue is picked up
> by common security scan tools, and given the age of the vulnerability, some
> minimum mitigation steps should be taken. While the conf file itself
> recommends setting the community string to a value known only within the
> user's organization, changing this string's default value for Yocto builds is
> a minimum step to help mitigate this issue.
>...
> -com2sec paranoid default public
> +com2sec paranoid default yocto-snmp-community
>...
Instead of mitigation this might do more bad than good.
Attackers and security scan tools will just start to also
scan for the known alternative "yocto-snmp-community".
The problem is that attackers tend to be faster with that,
so the actual change would be that security scan tools might
no longer report a vulnerability attackers will still use.
cu
Adrian
More information about the Openembedded-devel
mailing list