[oe] [meta-networking][PATCH] net-snmp: update default community string
Khem Raj
raj.khem at gmail.com
Wed Dec 18 03:17:32 UTC 2019
On Tue, Dec 17, 2019 at 7:14 PM Adrian Bunk <bunk at stusta.de> wrote:
>
> On Tue, Dec 17, 2019 at 08:11:13PM -0500, Trevor Gamblin wrote:
> > snmpd.conf, by default, lists the string "public" as the community string. As
> > a consequence, any build incorporating net-snmp implicitly enables a
> > vulnerability (CVE-1999-0517) where an attacker could obtain information about
> > (and potential control of) the device and its network. This issue is picked up
> > by common security scan tools, and given the age of the vulnerability, some
> > minimum mitigation steps should be taken. While the conf file itself
> > recommends setting the community string to a value known only within the
> > user's organization, changing this string's default value for Yocto builds is
> > a minimum step to help mitigate this issue.
> >...
> > -com2sec paranoid default public
> > +com2sec paranoid default yocto-snmp-community
> >...
>
> Instead of mitigation this might do more bad than good.
>
> Attackers and security scan tools will just start to also
> scan for the known alternative "yocto-snmp-community".
>
> The problem is that attackers tend to be faster with that,
> so the actual change would be that security scan tools might
> no longer report a vulnerability attackers will still use.
>
I tend to agree. Perhaps describe mitigation in wiki and let users
chose a string of their choice
and let defaults be as they are.
> cu
> Adrian
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
More information about the Openembedded-devel
mailing list