Valve uses a default SSH password of "steamlink", and reminds developers to change it.
Slight problem: Valve only thinks the password is "steamlink"'; it's actually "steamlin". Oops.
Slightly bigger problem: DES being used for BusyBox, and truncates passwords to have a length of only the first 8 characters.
Those who use words at the beginning of their passwords are extremely susceptible to wordlist attacks, as any entropy after the 8 character is irrelevant. As an example, if you changed the password to "development_qNmGYuCVGQTRm5gL" (which is more than random enough), the password actually gets truncated to a simple "develope".
As a temporary fix (provided by Evan Powers), users can manually force the root account to use SHA512 instead.
passwd -a sha512 root
Update #1: Valve tried to "fix" the problem by changing the documentation.. And still got even that wrong.
Update #2: CVE-2017-17878 has been assigned. No response from Valve yet.
No comments:
Post a Comment