This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BF2BF0.D1A9C880 Content-Type: text/plain; charset="iso-8859-1" Guy Cohen writes: | unfortunately This effects version 2.1.2 too. | I have added (using the html interface) user with READ-ONLY access, logged | in as this user and by executing | 'bigconf.cgi?command=view_textfile&file=/etc/master.passwd&filters=;' I was | able to see the the encrypted passwords in /etc/master.passwd witch is for | root eyes only. Good point. That slipped past us. We will release a patch on Thursday 11/10, Version 2.1.2 PTF-02. Hopefully this will not be a problem for most customers since they are very unlikely to give access to a malicious user. The patch will be available through the normal means. Ejovi Nuwere writes: | So if I understand correctly, F5 has made many improvements to the | security of BigIP. Now was adding a second account with uid 0 without the | knowlede of the user part of that plan? | This is blatently bad security practice, every BigIP box I have come | across has this account. Not only did you add a shell account, but you did | the same for the browser configuration tool: The second account has always been part of the product, so it is not something that we slipped in. It has always been visible to any user who looked for it. Most importantly, the account is only used by F5 Networks when a customer has explicitly requested that F5 do so. I apologize to any customers who were caught unaware of this. In any case, now that you've brought up the subject, we have re-evaluated the advantages and disadvantages of having this account and we have decided to henceforth disable it by default. We will be contacting each of our customers individually and recommending that they disable the support account or change the password. Even though your posting included hashed passwords, since the hashing algorithm is very strong, we do not believe that any BIG/ip or 3DNS units have a security risk at this time. Customer feedback like this has helped us improve the quality of the products since their inception, not only in security, but in capabilities and usability. We are very grateful! Rob Gilde Product Development Manager voice: 206-505-0857 email: robat_private F5 Networks, Inc. 200 First Avenue West, Suite 500 Seattle, WA 98119 http://www.f5.com 1-888-88BIGIP ------_=_NextPart_001_01BF2BF0.D1A9C880 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2448.0"> <TITLE>Re: BigIP - bigconf.cgi holes</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>Guy Cohen writes:</FONT> <BR><FONT SIZE=2>| unfortunately This effects version 2.1.2 too. </FONT> <BR><FONT SIZE=2>| I have added (using the html interface) user with READ-ONLY access, logged </FONT> <BR><FONT SIZE=2>| in as this user and by executing </FONT> <BR><FONT SIZE=2>| 'bigconf.cgi?command=view_textfile&file=/etc/master.passwd&filters=;' I was </FONT> <BR><FONT SIZE=2>| able to see the the encrypted passwords in /etc/master.passwd witch is for </FONT> <BR><FONT SIZE=2>| root eyes only. </FONT> </P> <P><FONT SIZE=2>Good point. That slipped past us. We will release a patch on Thursday </FONT> <BR><FONT SIZE=2>11/10, Version 2.1.2 PTF-02. Hopefully this will not be a problem for </FONT> <BR><FONT SIZE=2>most customers since they are very unlikely to give access to a </FONT> <BR><FONT SIZE=2>malicious user. The patch will be available through the normal means.</FONT> </P> <P><FONT SIZE=2>Ejovi Nuwere writes:</FONT> <BR><FONT SIZE=2>| So if I understand correctly, F5 has made many improvements to the</FONT> <BR><FONT SIZE=2>| security of BigIP. Now was adding a second account with uid 0 without the</FONT> <BR><FONT SIZE=2>| knowlede of the user part of that plan?</FONT> </P> <P><FONT SIZE=2>| This is blatently bad security practice, every BigIP box I have come</FONT> <BR><FONT SIZE=2>| across has this account. Not only did you add a shell account, but you did</FONT> <BR><FONT SIZE=2>| the same for the browser configuration tool:</FONT> </P> <P><FONT SIZE=2>The second account has always been part of the product, so it is not </FONT> <BR><FONT SIZE=2>something that we slipped in. It has always been visible to any user who </FONT> <BR><FONT SIZE=2>looked for it. Most importantly, the account is only used by F5 Networks </FONT> <BR><FONT SIZE=2>when a customer has explicitly requested that F5 do so. I apologize to any </FONT> <BR><FONT SIZE=2>customers who were caught unaware of this. </FONT> </P> <P><FONT SIZE=2>In any case, now that you've brought up the subject, we have re-evaluated </FONT> <BR><FONT SIZE=2>the advantages and disadvantages of having this account and we have decided </FONT> <BR><FONT SIZE=2>to henceforth disable it by default. We will be contacting each of our </FONT> <BR><FONT SIZE=2>customers individually and recommending that they disable the support </FONT> <BR><FONT SIZE=2>account or change the password.</FONT> </P> <P><FONT SIZE=2>Even though your posting included hashed passwords, since the hashing </FONT> <BR><FONT SIZE=2>algorithm is very strong, we do not believe that any BIG/ip or 3DNS units </FONT> <BR><FONT SIZE=2>have a security risk at this time.</FONT> </P> <P><FONT SIZE=2>Customer feedback like this has helped us improve the quality of the products </FONT> <BR><FONT SIZE=2>since their inception, not only in security, but in capabilities and </FONT> <BR><FONT SIZE=2>usability. We are very grateful!</FONT> </P> <BR> <P><FONT SIZE=2>Rob Gilde</FONT> <BR><FONT SIZE=2>Product Development Manager</FONT> <BR><FONT SIZE=2>voice: 206-505-0857</FONT> <BR><FONT SIZE=2>email: robat_private</FONT> </P> <P><FONT SIZE=2>F5 Networks, Inc.</FONT> <BR><FONT SIZE=2>200 First Avenue West, Suite 500</FONT> <BR><FONT SIZE=2>Seattle, WA 98119</FONT> <BR><FONT SIZE=2><A HREF="http://www.f5.com" TARGET="_blank">http://www.f5.com></FONT> <BR><FONT SIZE=2>1-888-88BIGIP</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BF2BF0.D1A9C880--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:11:06 PDT