specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 1 month ago verified publisher icon CycloneDX

Feature Proposal: Make it possible to communicate vulnerable user accounts, insecure passwords and hashing algorithms

Open cookiengineer opened this issue 3 years ago • 4 comments

In the age of Docker, Kubernetes and other solutions that allow virtualizations, these solutions often come with preinstalled software, libraries and more importantly - preconfigured user accounts with default passwords.

In think what's missing from the Bill of Vulnerabilities use case are the following things:

  • which running service has a separate user account (postgres? mysql user? service running as root?)
  • which user accounts can be abused for potential logins (does root have a password? does the account have a shell instead of /usr/bin/nologin?)
  • which user password hash algorithm is used for /etc/shadow (DES? MD5? MD6? SHA1?)
  • which user accounts have known default passwords (mysql:mysql, postgres:postgres, remember the MongoDB hack? )
  • which user accounts have compromised passwords (haveibeenpwned, Breach Compilation, Collection #1 etc)

cookiengineer avatar Aug 20 '22 14:08 cookiengineer

@stevespringett Is there a formal procedure on how to request a feature proposal other than here?

cookiengineer avatar Sep 22 '22 04:09 cookiengineer

Related to #119

stevespringett avatar Sep 22 '22 18:09 stevespringett

Is there a formal procedure on how to request a feature proposal other than here?

You're in the right place. Proposed changes go through the formalized standardization process. https://cyclonedx.org/about/standardization-process/

stevespringett avatar Sep 22 '22 18:09 stevespringett

with release of CDX schema 1.5 new elements and properties were added to vulnerabilities. such as proofOfConcept which can hold information what and how to exploit a system.

jkowalleck avatar Jul 12 '23 14:07 jkowalleck