pedwardat_private wrote: > I am upset about the recent thread about the Big/ip support account > on Bugtraq. Yes, So am I. Instead of reacting with "No we should never have done that", F5 reacts by downplaying the importance of the issue, and just recommends changing the password. > First of all, it's just stupid to sit here and say "They ship a > product with a security hole, because it has a support password that > is root priv'd". > I have known about this for nearly 2 years, questioned them > initially, but wrote it off as non-consequential. > First of all, the default config is very restrictive, and they don't > recommend the contrary. > The Big/ip products ship with the F5 labs firewall IP COMMENTED OUT > of the sshd config. > They assured me that they rotate the passwords on a regular basis to > ensure that accountability is retained internally. So, what happens when someone with an F5 product (whatever that is, but it seems to run on a Unix-like OS) calls for support, and traces the connection (*). Bingo, now one "customer" in the field has the F5 support password. All other customers in the same "rotation" of the password have the same password. Ooops. Having the password on a firewall protected host on the internet may not allow an easy "remote" exploit, but it sure allows someone with a legit (userlevel) access to the box to elevate his privs to root. As the crackerworld 10 years ago was collecting "common password lists" for VMS and Unix machines, they must now be collecting passwords to F5 machines. In conclusion: maybe it's acceptable to distribute support:*AgKPxJ3xBFOhM:0:0:F5 remote support:/:/bin/bash then when support is neccesary, instruct the sysop to remove the "*". Or just distribute: support:*:0:0:F5 remote support:/:/bin/bash and ask the sysop to change the * to AgKPxJ3xBFOhM when support is neccesary. But shipping such an account enabled and accessible to SOME is a risk, that could be avoided. Roger. (*) So, they're going to ssh into the machine. That prevents snooping at the ethernet. So snooping will have to be done on the machine, and we can assume that the owners have their own Root password.... -- ** R.E.Wolffat_private ** http://www.BitWizard.nl/ ** +31-15-2137555 ** *-- BitWizard writes Linux device drivers for any device you may have! --* "I didn't say it was your fault. I said I was going to blame it on you."
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:11:38 PDT