F5 Networks Security Advisory (fwd)

[gwen () REPTILES ORG (Gwendolynn ferch Elydyr)]

---------- Forwarded message ----------
Date: Thu, 11 Nov 1999 00:48:30 -0800 (PST)
From: support () jump f5 com
To: updates () jump f5 com
Cc: support () f5 com
Subject: F5 Networks Security Advisory

It has recently come to our attention that a hashed (scrambled) version of
the BIG/ip and 3DNS default support passwords have been posted in a public
forum.  These passwords are used by F5 support personnel to gain access to
units in the field when a customer has requested them to do so. The actual
passwords are still secret, however, knowledge of the hashed version makes
it easier to discover the password itself.  The encryption used for
scrambling the support password is extended-DES and is not easily
comprimised.

Customers have always had the ability to change the password on Big/IP +
3DNS.  Those who have done this are not at risk.  Further, by default,
BIG/ip and 3DNS only allow login access from F5's network address.
However, for the sake of convenience, some customers may have relaxed this
restriction.  Also, it is possible for hackers to spoof a network address.

In order to ensure maximum security for your system, we recommend that all
customers change their support passwords immediately using the procedure
outlined below.  F5 will release a patch that automatically removes the
support account from the GUI and disables it from shell access.  You can
access this patch tomorrow at the URL listed below, however, completing
the referenced procedure will accomplish the same actions as the patch.

We sincerely apologize for any inconvenience this causes to our customers.
F5 is committed to doing whatever is necessary to address your concerns
regarding this issue.  We encourage you to contact Support with any
questions or concerns you have regarding this issue.  You can reach us at
(888)882-4447 or (206)505-0888, or email us at (888)882-4447 or (206)505-0888, or email us at support () f5 com.  Please
note that nobody from F5 will ever call and ask for your password.  Remote
Support will only respond to a specific request by a customer to access
their system.

Thank You,
Bill Hilton
Director of Professional Services
F5 Networks

----------------------------------------------------------------------------
THE FOLLOWING PROCEDURE SHOULD BE CARRIED OUT ON EVERY BIG/ip AND 3DNS:

These instructions, along with the patch can be found at:
tech.f5.com/home/passwordchange.html

     Username:  support
     Password:  Password:  BIGip@f5

1) Reset the support login password:

   Run the "vipw" command to edit the password file.
   Find the line that starts with "support".
   Replace all of the characters between the first and second colon (":")
   with an asterisk to disable the account.  If choosing a new password,
   also follow step 2 below...

2) Optionally set a new support login password:

   Run the "passwd support" command and enter a new password when
   prompted.

3) Delete the support web password (BIG/ip only):

   Edit "/var/f5/httpd/basicauth/users" with vi or pico text editor;
   Find the line that starts with "support" (ignore capitalization)
   and delete it.

4) Optionally create a new support web account and password using the
   web-based Config Utility. (BIG/ip only)

On fresh BIG/ip installs, when the first time boot utility asks if you
want to allow support web access, answer 'no'.

When choosing new passwords, pick something that is at least 8 characters
long and contains mixed case letters and numbers.

---

This message has been PGP signed for authenticity.  To obtain the public
key, please point your web browser to http://tech.f5.com/f5pubkey.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: OkvSicykXOy4M36acfbcs0INhWYMtF5R

iQA/AwUBOCqCIUj4UVBWRDsQEQLohgCgtbZoBxzHP19BbKU1ilcpXxxAQz8AoPxM
pVyUeu2DWrBOBKjtdO8tENXl
=TSM2
-----END PGP SIGNATURE-----