On Wed, Jun 7, 2023 at 8:41 AM Izaac <izaac@setec.org> wrote:
On Sun, Jun 04, 2023 at 01:19:18PM -0700, William Herrin wrote:
IP address is hard-coded in Bind which will use it by default unless configured not to.
It is not "hard coded." It is a default configuration. You can change it. You are *supposed* to change it.
Data embedded in the binary is hard-coded. That's what hard-coded means. If it makes you happier I'll qualify it as a "hard-coded default," to differentiate it from settings the operator can't override with configuration. It's an instance of https://cwe.mitre.org/data/definitions/344.html and you can see a similar sort of error in play in https://cwe.mitre.org/data/definitions/798.html
First, you have completely ignored the argument: THERE IS NO FLAW IN COMPUTATIONAL LOGIC. There is no vulnerability.
A quick search of https://cve.mitre.org/cve/search_cve_list.html shows between 600 and 3700 CVEs related to default configurations that are either directly insecure or unexpectedly become insecure when some but not all of the defaults are changed by the operator. The vast majority of these CVEs exhibit, as you say, no flaw in the computational logic. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/