Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 9 Jan 2018 08:37:08 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Own on install. How grave it is?

Many OS installs/etc take a password during install, either manually
(e.g. prompting you at the command line), or the OS is installed using
tools that allow a password to be set (e.g. Red Hat kickstarter,
Satellite, CloudForms).

In general if an OS install does NOT give you any way to set a
password during install and forces you to install the product, boot it
and then login with blank credentials and set a password you end up
with a CVE since a network based attacker can easily win that race, a
good example being FreeNAS CVE-2014-5334. If the installer can prompt
for a password or take a password through other means (e.g.
kickstarter) than there's a safe option so no CVE is needed typically.

On Tue, Jan 9, 2018 at 6:42 AM, Georgi Guninski <guninski@...inski.com> wrote:
> [don't know if this is ontopic. Not on the list so CC me].
>
> This is well known, haven't seen it discussed.
>
> In short doing clean install (factory defaults) has a window of
> opportunity when the device is vulnerable to a known network attack.
>
> It used to be common sense to reinstall after compromise (probably
> doesn't apply to the windows world where the antivirus takes care).
>
> All versions of windoze are affected by the SMB bug to my knowledge.
> Debian jessie (old stable) is vulnerable to malicious mirror attack.
>
> More of interest to me are devices where the installation media is
> fixed and can't be changed.
>
> This includes smartphones and wireless routers.
>
> Some smartphones might be vulnerable to wifi RCE (found by google?).
> Some wireless routers might be vulnerable to wifi RCE or
> default admin password attack over wifi.
>
> Internet of Things will make things worse (some NAS devices are
> affected).
>
> Shielding the device might not be solution since updates must be
> applied.
>
> Are the above concerns real?
>
> Have this been studied systematically?
>
>



-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ