Bugtraq mailing list archives
Re: F5 Networks Security Advisory (fwd)
From: pedward () WEBCOM COM (pedward () WEBCOM COM)
Date: Thu, 11 Nov 1999 10:20:16 -0800
Okay, first off, I've never used anything from F5. In fact, I don't think I've ever seen anything from them, firsthand. However, my thoughts on this are generic enough that this shouldn't matter. At 10:18 PM 11/10/99 -0800, pedward () WEBCOM COM wrote:First of all, it's just stupid to sit here and say "They ship a product with a security hole, because it has a support password that is root priv'd".How is this different from the backdoors that were found in other network equipment, not too long ago?
In the other systems, the password was obtained through a hex dump of the firmware, this is Extended DES encoded, much stronger than anything in firmware, to date.
They assured me that they rotate the passwords on a regular basis toensure >that accountability is retained internally. What is that regular basis? Hourly? Daily? Weekly? Monthly? Yearly? There's still at least two boxes out there with the same password.
I was told monthly.
If the device shipped with a password that was obtained via a hex dump ofa >ROM, I could understand, but we're talking about a password that requiresmany hours of CPU time, or hundreds of thousands of dollars of hardware.No, we're talking about a password that is identical on at least two systems. This is bad, in my opinion.
How are they going to fulfill their support contract without it? They login and upgrade your system for you, with your knowledge, of course.
I don't like good people like F5 getting grilled, and sending me a stupid advisory, because someone cried the equivelent of 'Y2K bug'.Again, if I had a system from F5, this bug would at least annoy me.
It's not a bug, it's a policy decision. People are freaking over it because of the mass hysteria created by 'ohh, you shouldn't have a vendor password'.
Hey everybody, <insert fav dist> ships with a UID 0 account, it's password is probably guessable.This is what I really wanted to comment about. First, why do the systems ship with a password at all? None of the OSes I've used ship with one, but they do -require- you to create a password for the 'root' account when you are physically at the terminal during install, or at first boot. Without doing this, the system never boots entirely. Or, it's done a different way. Take Cisco routers (at least the one's I've used) for example. You cannot remotely log into them if a password is not set. Setting the password is as simple as plugging in a serial cable. I think F5 could/should do something similar to this, regardless of which IP addresses are allowed to connect to the system.
Unix is slightly different than embedded, but this could be achieved via: /etc/securetty: /dev/ttyS0
Grr, this just makes me mad that we're discussing this.I see it as a security related bug. Now, I'll probably never buy an F5 product, or be in any way involved in a purchasing decision related to an F5 product, but that has nothing to do with this bug. Still, I find it interesting and I believe that it does belong on BUGTRAQ.
That's the point, it's not a 'bug', it's a policy set forth by F5. Someone may disagreee with this policy, but I don't. I have faith in the security they maintain, ot trust them with access to my box. I didn't intend this to be an attack on you, I was addressing the list as a whole.
--PerryMike -- Mike Johnson - mike.johnson () gd-cs com Network Engineer - New Technology Group General Dynamics - All opinions are mine, not General Dynamics'.
--Perry -- Perry Harrington Director of zelur xuniL () perry () webcom com System Architecture Think Blue. /\
Current thread:
- F5 Networks Security Advisory (fwd) Gwendolynn ferch Elydyr (Nov 10)
- Re: F5 Networks Security Advisory (fwd) pedward () WEBCOM COM (Nov 10)
- Re: F5 Networks Security Advisory (fwd) Mike Johnson (Nov 11)
- Re: F5 Networks Security Advisory (fwd) pedward () WEBCOM COM (Nov 11)
- FormHandler.cgi Mnemonix (Nov 11)
- Re: FormHandler.cgi m4rcyS (Nov 16)
- hping2 antirez () INVECE ORG (Nov 16)
- Re: F5 Networks Security Advisory (fwd) Mike Johnson (Nov 11)
- Re: F5 Networks Security Advisory (fwd) Rogier Wolff (Nov 12)
- Re: F5 Networks Security Advisory (fwd) pedward () WEBCOM COM (Nov 10)