Date: Sun, 17 Aug 2014 09:47:53 +0200 From: devzero2000 <pinto.elia@...il.com> To: oss-security@...ts.openwall.com Subject: Re: FreeNAS default blank password Il 17/Ago/2014 04:12 "Kurt Seifried" <kseifried@...hat.com> ha scritto: > > So I installed the latest FreeNAS (188.8.131.52), install is simple, no > options, it just drops it onto the disk you specify, you reboot, it works. > > By default you get a text based menu with some options (setup > network/DNS/etc.), and one option is "Reset WebGUI Login Credentials". > > The problem is at first boot (and if you ever pick "Reset WebGUI Login > Credentials") the web admin has a blank password, anyone that can access > it can set the admin password and then use the web GUI to fire up a root > shell (there's a nice little web shell command line). > > So an attacker can easily race the admin to the WebGUI, set a new > password, login as root, setup a backdoor, then reset the WebGUI > password so it's blank again and the admin would be none the wiser (log > files won't help because the attacker has root can can easily sanitize > them). > > There is no way from the text GUI to set the Web GUI admin password. I > don't think there is even a CLI tool to set the web GUI password (I > can't find it easily). > > Either way, does this deserve a CVE? Forcing a user to set the admin Web > GUI password through the Web GUI, meaning it must be exposed to some > degree prior to securing it. My understanding is default/blank admin > credentials now == CVE. Thanks. > > Many device have a "default" password on first install that everyone know. For me "blank" password or "admin admin" are equal as security risk. I have missed something ? Best regards > -- > Kurt Seifried -- Red Hat -- Product Security -- Cloud > PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ