Skip to main content

Enabled default credentials

Description

It is possible to use low-strength, default credentials to access system resources, such as the database.

Impact

Obtain unauthorized access to resources or services with public credentials

Recommendation

Eliminate the credentials from the storage manager to avoid login attempts with those.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: A
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: H
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: O
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:O/RC:X
  • Score:
    • Base: 6.5
    • Temporal: 6.2
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

Correctly configure the aws key to access resources

resource "aws_iam_user" "example" {
name = "example"
}

resource "aws_iam_service_specific_credential" "example" {
service_name = "example"
user_name = user_name
service_password = "my_aws_key"
}

Non compliant code

Default password settings enabled in a resource

resource "aws_iam_user" "example" {
name = "example"
}

resource "aws_iam_service_specific_credential" "example" {
service_name = "example"
user_name = admin
service_password = default
}

Requirements