mailing list archives
Re: Re: Yubiserver package ships with pre-filled identities
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Tue, 31 Jan 2012 10:23:10 -0500 (EST)
On Tue, 31 Jan 2012, Gian Piero Carrubba wrote:
More generally, in a 2FA environment, a default account in yubiserver
could lessen the security level but should not expose a straight attack
If a security feature is less strong than advertised (or less strong than
its user may reasonably assume), then this is enough to qualify for CVE.
Problem arises when a user doesn't check the account db  and blindly
trust the results of key validation, possibly automatically mapping
successfully validated keys to default users. I doubt this can happen
for system logins, unless something is seriously wrong, but there are
other resources for whose I think this scenario is plausible (i.e.
authentication to a proxy server or granting access to a network
Since there are plausible scenarios in which the feature could be misused,
this also seems to qualify for a CVE.
To be honest, issuing a CVE seems a bit overkilling to me.
CVE doesn't cover just the most serious vulnerabilities out there. While
the circumstances might be rare, and it's not as serious as other
problems, it's still "bad enough" that some consumers would care about it.
Re: Yubiserver package ships with pre-filled identities Nanakos V. Chrysostomos (Jan 30)