Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 31 Jan 2012 10:23:10 -0500 (EST)
From: "Steven M. Christey" <>
To: "" <>
cc: Nanakos Chrysostomos <>,
        Kurt Seifried <>,
        Jonathan Wiltshire <>,
        "" <>
Subject: Re: Re: Yubiserver package ships with pre-filled

On Tue, 31 Jan 2012, Gian Piero Carrubba wrote:

> More generally, in a 2FA environment, a default account in yubiserver 
> could lessen the security level but should not expose a straight attack 
> vector.

If a security feature is less strong than advertised (or less strong than 
its user may reasonably assume), then this is enough to qualify for CVE.

> Problem arises when a user doesn't check the account db [0] and blindly 
> trust the results of key validation, possibly automatically mapping 
> successfully validated keys to default users. I doubt this can happen 
> for system logins, unless something is seriously wrong, but there are 
> other resources for whose I think this scenario is plausible (i.e. 
> authentication to a proxy server or granting access to a network 
> segment).

Since there are plausible scenarios in which the feature could be misused, 
this also seems to qualify for a CVE.

> To be honest, issuing a CVE seems a bit overkilling to me.

CVE doesn't cover just the most serious vulnerabilities out there. While 
the circumstances might be rare, and it's not as serious as other 
problems, it's still "bad enough" that some consumers would care about it.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.