---------- Forwarded message ---------- Date: Thu, 11 Nov 1999 00:48:30 -0800 (PST) From: supportat_private To: updatesat_private Cc: supportat_private Subject: F5 Networks Security Advisory It has recently come to our attention that a hashed (scrambled) version of the BIG/ip and 3DNS default support passwords have been posted in a public forum. These passwords are used by F5 support personnel to gain access to units in the field when a customer has requested them to do so. The actual passwords are still secret, however, knowledge of the hashed version makes it easier to discover the password itself. The encryption used for scrambling the support password is extended-DES and is not easily comprimised. Customers have always had the ability to change the password on Big/IP + 3DNS. Those who have done this are not at risk. Further, by default, BIG/ip and 3DNS only allow login access from F5's network address. However, for the sake of convenience, some customers may have relaxed this restriction. Also, it is possible for hackers to spoof a network address. In order to ensure maximum security for your system, we recommend that all customers change their support passwords immediately using the procedure outlined below. F5 will release a patch that automatically removes the support account from the GUI and disables it from shell access. You can access this patch tomorrow at the URL listed below, however, completing the referenced procedure will accomplish the same actions as the patch. We sincerely apologize for any inconvenience this causes to our customers. F5 is committed to doing whatever is necessary to address your concerns regarding this issue. We encourage you to contact Support with any questions or concerns you have regarding this issue. You can reach us at (888)882-4447 or (206)505-0888, or email us at supportat_private Please note that nobody from F5 will ever call and ask for your password. Remote Support will only respond to a specific request by a customer to access their system. Thank You, Bill Hilton Director of Professional Services F5 Networks ---------------------------------------------------------------------------- THE FOLLOWING PROCEDURE SHOULD BE CARRIED OUT ON EVERY BIG/ip AND 3DNS: These instructions, along with the patch can be found at: tech.f5.com/home/passwordchange.html Username: support Password: BIGip@f5 1) Reset the support login password: Run the "vipw" command to edit the password file. Find the line that starts with "support". Replace all of the characters between the first and second colon (":") with an asterisk to disable the account. If choosing a new password, also follow step 2 below... 2) Optionally set a new support login password: Run the "passwd support" command and enter a new password when prompted. 3) Delete the support web password (BIG/ip only): Edit "/var/f5/httpd/basicauth/users" with vi or pico text editor; Find the line that starts with "support" (ignore capitalization) and delete it. 4) Optionally create a new support web account and password using the web-based Config Utility. (BIG/ip only) On fresh BIG/ip installs, when the first time boot utility asks if you want to allow support web access, answer 'no'. When choosing new passwords, pick something that is at least 8 characters long and contains mixed case letters and numbers. --- This message has been PGP signed for authenticity. To obtain the public key, please point your web browser to http://tech.f5.com/f5pubkey. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: OkvSicykXOy4M36acfbcs0INhWYMtF5R iQA/AwUBOCqCIUj4UVBWRDsQEQLohgCgtbZoBxzHP19BbKU1ilcpXxxAQz8AoPxM pVyUeu2DWrBOBKjtdO8tENXl =TSM2 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:11:07 PDT