[oe] [meta-networking][PATCH] net-snmp: update default community string

Trevor Gamblin trevor.gamblin at windriver.com
Wed Dec 18 13:27:29 UTC 2019


On 12/17/19 10:17 PM, Khem Raj wrote:
> On Tue, Dec 17, 2019 at 7:14 PM Adrian Bunk <bunk at stusta.de> wrote:
>> On Tue, Dec 17, 2019 at 08:11:13PM -0500, Trevor Gamblin wrote:
>>> snmpd.conf, by default, lists the string "public" as the community string. As
>>> a consequence, any build incorporating net-snmp implicitly enables a
>>> vulnerability (CVE-1999-0517) where an attacker could obtain information about
>>> (and potential control of) the device and its network. This issue is picked up
>>> by common security scan tools, and given the age of the vulnerability, some
>>> minimum mitigation steps should be taken. While the conf file itself
>>> recommends setting the community string to a value known only within the
>>> user's organization, changing this string's default value for Yocto builds is
>>> a minimum step to help mitigate this issue.
>>> ...
>>> -com2sec paranoid  default         public
>>> +com2sec paranoid  default         yocto-snmp-community
>>> ...
>> Instead of mitigation this might do more bad than good.
>>
>> Attackers and security scan tools will just start to also
>> scan for the known alternative "yocto-snmp-community".
>>
>> The problem is that attackers tend to be faster with that,
>> so the actual change would be that security scan tools might
>> no longer report a vulnerability attackers will still use.
>>
> I tend to agree. Perhaps describe mitigation in wiki and let users
> chose a string of their choice
> and let defaults be as they are.
Those are good points. Thanks for reviewing.
>
>> cu
>> Adrian
>> --
>> _______________________________________________
>> Openembedded-devel mailing list
>> Openembedded-devel at lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-devel


More information about the Openembedded-devel mailing list