Date: Tue, 9 Jan 2018 08:37:08 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: Own on install. How grave it is? Many OS installs/etc take a password during install, either manually (e.g. prompting you at the command line), or the OS is installed using tools that allow a password to be set (e.g. Red Hat kickstarter, Satellite, CloudForms). In general if an OS install does NOT give you any way to set a password during install and forces you to install the product, boot it and then login with blank credentials and set a password you end up with a CVE since a network based attacker can easily win that race, a good example being FreeNAS CVE-2014-5334. If the installer can prompt for a password or take a password through other means (e.g. kickstarter) than there's a safe option so no CVE is needed typically. On Tue, Jan 9, 2018 at 6:42 AM, Georgi Guninski <guninski@...inski.com> wrote: > [don't know if this is ontopic. Not on the list so CC me]. > > This is well known, haven't seen it discussed. > > In short doing clean install (factory defaults) has a window of > opportunity when the device is vulnerable to a known network attack. > > It used to be common sense to reinstall after compromise (probably > doesn't apply to the windows world where the antivirus takes care). > > All versions of windoze are affected by the SMB bug to my knowledge. > Debian jessie (old stable) is vulnerable to malicious mirror attack. > > More of interest to me are devices where the installation media is > fixed and can't be changed. > > This includes smartphones and wireless routers. > > Some smartphones might be vulnerable to wifi RCE (found by google?). > Some wireless routers might be vulnerable to wifi RCE or > default admin password attack over wifi. > > Internet of Things will make things worse (some NAS devices are > affected). > > Shielding the device might not be solution since updates must be > applied. > > Are the above concerns real? > > Have this been studied systematically? > > -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ