Re: F5 Networks Security Advisory (fwd)

From: Rogier Wolff (R.E.Wolffat_private)
Date: Fri Nov 12 1999 - 00:54:13 PST

Next message: haywardat_private: "Re: WU-FTPD"

Previous message: John D. Hardin: "Re: [RHSA-1999:054-01] Security problems in bind"
Maybe in reply to: Gwendolynn ferch Elydyr: "F5 Networks Security Advisory (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

pedwardat_private wrote:

> I am upset about the recent thread about the Big/ip support account
> on Bugtraq.

Yes, So am I. Instead of reacting with "No we should never have done
that", F5 reacts by downplaying the importance of the issue, and just
recommends changing the password.

> First of all, it's just stupid to sit here and say "They ship a
> product with a security hole, because it has a support password that
> is root priv'd".

> I have known about this for nearly 2 years, questioned them
> initially, but wrote it off as non-consequential.

> First of all, the default config is very restrictive, and they don't
> recommend the contrary.

> The Big/ip products ship with the F5 labs firewall IP COMMENTED OUT
> of the sshd config.

> They assured me that they rotate the passwords on a regular basis to
> ensure that accountability is retained internally.

So, what happens when someone with an F5 product (whatever that is,
but it seems to run on a Unix-like OS) calls for support, and traces
the connection (*). Bingo, now one "customer" in the field has the F5
support password. All other customers in the same "rotation" of the
password have the same password. Ooops.

Having the password on a firewall protected host on the internet may
not allow an easy "remote" exploit, but it sure allows someone with a
legit (userlevel) access to the box to elevate his privs to root.

As the crackerworld 10 years ago was collecting "common password
lists" for VMS and Unix machines, they must now be collecting
passwords to F5 machines.

In conclusion: maybe it's acceptable to distribute

support:*AgKPxJ3xBFOhM:0:0:F5 remote support:/:/bin/bash

then when support is neccesary, instruct the sysop to remove the "*".

Or just distribute:

support:*:0:0:F5 remote support:/:/bin/bash

and ask the sysop to change the * to AgKPxJ3xBFOhM when support is
neccesary. But shipping such an account enabled and accessible to
SOME is a risk, that could be avoided.

				Roger.

(*) So, they're going to ssh into the machine. That prevents snooping
at the ethernet. So snooping will have to be done on the machine, and
we can assume that the owners have their own Root password....

--
** R.E.Wolffat_private ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
 "I didn't say it was your fault. I said I was going to blame it on you."

Next message: haywardat_private: "Re: WU-FTPD"
Previous message: John D. Hardin: "Re: [RHSA-1999:054-01] Security problems in bind"
Maybe in reply to: Gwendolynn ferch Elydyr: "F5 Networks Security Advisory (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:11:38 PDT