T 4.53 Insecure default settings for storage components

Storage components are often delivered by the manufacturer with insecure default configurations which endanger the ability to use the component securely.

The following aspects are often problematic:

Operating system

Storage systems are often delivered with an outdated version of the operating system. The outdated version often does not meet the current security standards.

Hostnames

Default hostnames often give away the name of the manufacturer of the device. Attackers are then able to target known security gaps in these devices.

Services

Devices are usually delivered with a default factory configuration in which numerous services are enabled. These services may include, for example, HTTP, Telnet, FINGER, or other such services that should be disabled on storage systems for security reasons.

User accounts and passwords

The user accounts set up by the manufacturer often use documented, and therefore generally known, default user names and passwords. There are lists with manufacturer-specific default user account names and passwords available for download on relevant websites so that it is easy for unauthorised persons to obtain access to a system.

Insecure SNMP versions

Authentication is performed in SNMPv1 and SNMPv2 using only a single unencrypted so-called community string. Almost all manufacturers set the default read community string to "public", while the write community string is usually set to "private". If one of the insecure SNMP versions is used and a separate administration network was not set up for administration purposes, an attacker may easily gain control over the network components if these default settings remain enabled.