Re: F5 Networks Security Advisory (fwd)

From: Mike Johnson (mike.johnson@GD-CS.COM)
Date: Thu Nov 11 1999 - 09:48:14 PST

Next message: Mnemonix: "FormHandler.cgi"

Previous message: David R. Conrad: "Re: CERT Advisory CA-99.14 - Multiple Vulnerabilities in BIND"
Maybe in reply to: Gwendolynn ferch Elydyr: "F5 Networks Security Advisory (fwd)"
Next in thread: pedwardat_private: "Re: F5 Networks Security Advisory (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Okay, first off, I've never used anything from F5.  In fact, I don't
think I've ever seen anything from them, firsthand.  However, my
thoughts on this are generic enough that this shouldn't matter.

At 10:18 PM 11/10/99 -0800, pedwardat_private wrote:

>First of all, it's just stupid to sit here and say "They ship a product with
>a security hole, because it has a support password that is root priv'd".

How is this different from the backdoors that were found in other network
equipment, not too long ago?

>They assured me that they rotate the passwords on a regular basis to
ensure >that accountability is retained internally.

What is that regular basis?  Hourly?  Daily?  Weekly?  Monthly?  Yearly?
There's still at least two boxes out there with the same password.

>If the device shipped with a password that was obtained via a hex dump of
a >ROM, I could understand, but we're talking about a password that requires
>many hours of CPU time, or hundreds of thousands of dollars of hardware.

No, we're talking about a password that is identical on at least two systems.
This is bad, in my opinion.

>I don't like good people like F5 getting grilled, and sending me a stupid
>advisory, because someone cried the equivelent of 'Y2K bug'.

Again, if I had a system from F5, this bug would at least annoy me.

>Hey everybody, <insert fav dist> ships with a UID 0 account, it's password
>is probably guessable.

This is what I really wanted to comment about.  First, why do the systems
ship with a password at all?  None of the OSes I've used ship with one,
but they do -require- you to create a password for the 'root' account
when you are physically at the terminal during install, or at first boot.
Without doing this, the system never boots entirely.  Or, it's done a
different way.  Take Cisco routers (at least the one's I've used) for
example.  You cannot remotely log into them if a password is not set.
Setting the password is as simple as plugging in a serial cable.  I think
F5 could/should do something similar to this, regardless of which IP
addresses are allowed to connect to the system.

>Grr, this just makes me mad that we're discussing this.

I see it as a security related bug.  Now, I'll probably never buy an F5
product, or be in any way involved in a purchasing decision related to
an F5 product, but that has nothing to do with this bug.  Still, I find
it interesting and I believe that it does belong on BUGTRAQ.

>--Perry

Mike

--
Mike Johnson - mike.johnson@gd-cs.com
Network Engineer - New Technology Group
General Dynamics - All opinions are mine, not General Dynamics'.

Next message: Mnemonix: "FormHandler.cgi"
Previous message: David R. Conrad: "Re: CERT Advisory CA-99.14 - Multiple Vulnerabilities in BIND"
Maybe in reply to: Gwendolynn ferch Elydyr: "F5 Networks Security Advisory (fwd)"
Next in thread: pedwardat_private: "Re: F5 Networks Security Advisory (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:11:30 PDT