Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: F5 Networks Security Advisory (fwd)

From: R.E.Wolff () BITWIZARD NL (Rogier Wolff)
Date: Fri, 12 Nov 1999 09:54:13 +0100

pedward () WEBCOM COM wrote:


I am upset about the recent thread about the Big/ip support account
on Bugtraq.


Yes, So am I. Instead of reacting with "No we should never have done
that", F5 reacts by downplaying the importance of the issue, and just
recommends changing the password.


First of all, it's just stupid to sit here and say "They ship a
product with a security hole, because it has a support password that
is root priv'd".



I have known about this for nearly 2 years, questioned them
initially, but wrote it off as non-consequential.



First of all, the default config is very restrictive, and they don't
recommend the contrary.



The Big/ip products ship with the F5 labs firewall IP COMMENTED OUT
of the sshd config.



They assured me that they rotate the passwords on a regular basis to
ensure that accountability is retained internally.


So, what happens when someone with an F5 product (whatever that is,
but it seems to run on a Unix-like OS) calls for support, and traces
the connection (*). Bingo, now one "customer" in the field has the F5
support password. All other customers in the same "rotation" of the
password have the same password. Ooops.

Having the password on a firewall protected host on the internet may
not allow an easy "remote" exploit, but it sure allows someone with a
legit (userlevel) access to the box to elevate his privs to root.

As the crackerworld 10 years ago was collecting "common password
lists" for VMS and Unix machines, they must now be collecting
passwords to F5 machines.

In conclusion: maybe it's acceptable to distribute

support:*AgKPxJ3xBFOhM:0:0:F5 remote support:/:/bin/bash

then when support is neccesary, instruct the sysop to remove the "*".

Or just distribute:

support:*:0:0:F5 remote support:/:/bin/bash

and ask the sysop to change the * to AgKPxJ3xBFOhM when support is
neccesary. But shipping such an account enabled and accessible to
SOME is a risk, that could be avoided.

                                Roger.

(*) So, they're going to ssh into the machine. That prevents snooping
at the ethernet. So snooping will have to be done on the machine, and
we can assume that the owners have their own Root password....

--
** R.E.Wolff () BitWizard nl ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
 "I didn't say it was your fault. I said I was going to blame it on you."
Previous By Date Next
Previous By Thread Next

Current thread: