[12513] in bugtraq
No subject found in mail header
daemon@ATHENA.MIT.EDU (Ejovi Nuwere)
Wed Nov 10 13:04:40 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.10.9911091521240.18815-100000@funky.monkey.org>
Date: Tue, 9 Nov 1999 15:59:02 -0500
Reply-To: Ejovi Nuwere <joewee@MONKEY.ORG>
From: Ejovi Nuwere <joewee@MONKEY.ORG>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Rob,
w00w00 was planning on addressing this issue, but I just can't control the
urge to speak...
So if I understand correctly, F5 has made many improvements to the
security of BigIP. Now was adding a second account with uid 0 without the
knowlede of the user part of that plan?
support:_J9..1fnHY9nqgjRyOV2:0:0:daemon:0:0:F5 Labs User
Support:/root:/bin/bash
This is blatently bad security practice, every BigIP box I have come
across has this account. Not only did you add a shell account, but you did
the same for the browser configuration tool:
bigip1:~# cat /var/f5/httpd/basicauth/users
admin:MdA00w00w
support:_J9..1fnHY9nqgjRyOV2
bigip1:~#
Now, I know what your going to say. "It doesn't matter because of
restrictions in sshd_config" BUT! Remember this is a unix machine with a
unix user, I have a few people in the office who would rather allow ANY
location to connect to every box on the network, do you see where I'm
going with this? It isn't that far fetched.
I place load balancers in the router catagory, and anything in that
bigip1:~# ls -la /usr/bin/rlogin
-r-sr-xr-x 1 root wheel 212992 Apr 6 1999 /usr/bin/rlogin*
bigip1:~#
catagory should be stripped down, to only core tools.
I say this in closing
-r-sr-xr-x 1 root wheel 212992 Apr 6 1999 /usr/bin/rlogin*
support:_J9..1fnHY9nqgjRyOV2
support:_J9..1fnHY9nqgjRyOV2:0:0:daemon:0:0:F5 Labs User
Support:/root:/bin/bash
w00giving : w00w00 pronounced wu-wu : ADM
joewee.
PS: BigIP is by far the best load balancer in the industry. I love it.
> Guy is discussing an issue that affects older versions of BIG/ip.
> As he points out, the risk is from internal users. In older versions
> of BIG/ip, there is effectively only one user and that user has root
> privileges. That user could execute commands as root through a shell
> escape in our web-based user interface.
>
> As of Version 2.1, this is no longer possible. The current version
> of BIG/ip is 2.1.2. The software update is available for free over
> the net to all customers with support contracts.
>
> In Version 2.1, in response to customer feedback, we removed the shell
>
> escape capability and also changed to multiple user levels in the
> web-based user interface.
>
> BIG/ip is a default-deny device, both for administrative traffic to
> it,
> and for traffic passing through it. The product uses SSH for command
> line access and SSL for web access. We welcome any feedback on how we
>
> can make the product more secure.
>
> Thanks!
>
> Rob Gilde
> Product Development Manager
> voice: 206-505-0857
> email: rob@f5.com
>
> F5 Networks, Inc.
> 200 First Avenue West, Suite 500
> Seattle, WA 98119
> http://www.f5.com
> 1-888-88BIGIP
----------------------------
Ejovi Nuwere [www.ejovi.net]
In God we trust.
The rest we monitor.
----------------------------
