[App_rpt-users] Debian Allstar Linux Image (DIAL) vulnerability
Tom Hayward
tom at tomh.us
Thu Jun 8 19:13:41 UTC 2017
On Thu, Jun 8, 2017 at 11:41 AM, Bryan Fields <Bryan at bryanfields.net> wrote:
> A critical vulnerability has been found in DIAL permitting a remote
> attacker log into the node and gain local user shell.
>
> This vulnerability exists because the DIAL default install has a
> default user account with a static password. An attacker could
> exploit this vulnerability by connecting remotely to a node and
> logging in by using the credentials for this default user account.
I appreciate the formality of this notice, but this "vulnerability"
isn't exactly a secret. The instructions for reproducing it are FAQ #2
:-)
http://docs.allstarlink.org/drupal/node/170
Hopefully it is now obvious to everyone that this password should be
changed before deploying the node.
I wonder if it might be best to disable password login in ssh by
default. The user could place their key on the filesystem after
netinstall or flashing the SD card.
Tom KD7LXL
More information about the App_rpt-users
mailing list