[12520] in bugtraq
Re: BigIP - bigconf.cgi holes
daemon@ATHENA.MIT.EDU (Rob Gilde)
Wed Nov 10 22:11:54 1999
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01BF2BF0.D1A9C880"
Message-Id: <111627409F79D2119FB100A0C9EEDC3ED73607@f5-exchange.win.net>
Date: Wed, 10 Nov 1999 18:59:49 -0800
Reply-To: Rob Gilde <r.gilde@F5.COM>
From: Rob Gilde <r.gilde@F5.COM>
X-To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BF2BF0.D1A9C880
Content-Type: text/plain;
charset="iso-8859-1"
Guy Cohen writes:
| unfortunately This effects version 2.1.2 too.
| I have added (using the html interface) user with READ-ONLY access, logged
| in as this user and by executing
| 'bigconf.cgi?command=view_textfile&file=/etc/master.passwd&filters=;' I was
| able to see the the encrypted passwords in /etc/master.passwd witch is for
| root eyes only.
Good point. That slipped past us. We will release a patch on Thursday
11/10, Version 2.1.2 PTF-02. Hopefully this will not be a problem for
most customers since they are very unlikely to give access to a
malicious user. The patch will be available through the normal means.
Ejovi Nuwere writes:
| So if I understand correctly, F5 has made many improvements to the
| security of BigIP. Now was adding a second account with uid 0 without the
| knowlede of the user part of that plan?
| This is blatently bad security practice, every BigIP box I have come
| across has this account. Not only did you add a shell account, but you did
| the same for the browser configuration tool:
The second account has always been part of the product, so it is not
something that we slipped in. It has always been visible to any user who
looked for it. Most importantly, the account is only used by F5 Networks
when a customer has explicitly requested that F5 do so. I apologize to any
customers who were caught unaware of this.
In any case, now that you've brought up the subject, we have re-evaluated
the advantages and disadvantages of having this account and we have decided
to henceforth disable it by default. We will be contacting each of our
customers individually and recommending that they disable the support
account or change the password.
Even though your posting included hashed passwords, since the hashing
algorithm is very strong, we do not believe that any BIG/ip or 3DNS units
have a security risk at this time.
Customer feedback like this has helped us improve the quality of the products
since their inception, not only in security, but in capabilities and
usability. We are very grateful!
Rob Gilde
Product Development Manager
voice: 206-505-0857
email: rob@f5.com
F5 Networks, Inc.
200 First Avenue West, Suite 500
Seattle, WA 98119
http://www.f5.com
1-888-88BIGIP
------_=_NextPart_001_01BF2BF0.D1A9C880
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2448.0">
<TITLE>Re: BigIP - bigconf.cgi holes</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Guy Cohen writes:</FONT>
<BR><FONT SIZE=2>| unfortunately This effects version 2.1.2 too. </FONT>
<BR><FONT SIZE=2>| I have added (using the html interface) user with READ-ONLY access, logged </FONT>
<BR><FONT SIZE=2>| in as this user and by executing </FONT>
<BR><FONT SIZE=2>| 'bigconf.cgi?command=view_textfile&file=/etc/master.passwd&filters=;' I was </FONT>
<BR><FONT SIZE=2>| able to see the the encrypted passwords in /etc/master.passwd witch is for </FONT>
<BR><FONT SIZE=2>| root eyes only. </FONT>
</P>
<P><FONT SIZE=2>Good point. That slipped past us. We will release a patch on Thursday </FONT>
<BR><FONT SIZE=2>11/10, Version 2.1.2 PTF-02. Hopefully this will not be a problem for </FONT>
<BR><FONT SIZE=2>most customers since they are very unlikely to give access to a </FONT>
<BR><FONT SIZE=2>malicious user. The patch will be available through the normal means.</FONT>
</P>
<P><FONT SIZE=2>Ejovi Nuwere writes:</FONT>
<BR><FONT SIZE=2>| So if I understand correctly, F5 has made many improvements to the</FONT>
<BR><FONT SIZE=2>| security of BigIP. Now was adding a second account with uid 0 without the</FONT>
<BR><FONT SIZE=2>| knowlede of the user part of that plan?</FONT>
</P>
<P><FONT SIZE=2>| This is blatently bad security practice, every BigIP box I have come</FONT>
<BR><FONT SIZE=2>| across has this account. Not only did you add a shell account, but you did</FONT>
<BR><FONT SIZE=2>| the same for the browser configuration tool:</FONT>
</P>
<P><FONT SIZE=2>The second account has always been part of the product, so it is not </FONT>
<BR><FONT SIZE=2>something that we slipped in. It has always been visible to any user who </FONT>
<BR><FONT SIZE=2>looked for it. Most importantly, the account is only used by F5 Networks </FONT>
<BR><FONT SIZE=2>when a customer has explicitly requested that F5 do so. I apologize to any </FONT>
<BR><FONT SIZE=2>customers who were caught unaware of this. </FONT>
</P>
<P><FONT SIZE=2>In any case, now that you've brought up the subject, we have re-evaluated </FONT>
<BR><FONT SIZE=2>the advantages and disadvantages of having this account and we have decided </FONT>
<BR><FONT SIZE=2>to henceforth disable it by default. We will be contacting each of our </FONT>
<BR><FONT SIZE=2>customers individually and recommending that they disable the support </FONT>
<BR><FONT SIZE=2>account or change the password.</FONT>
</P>
<P><FONT SIZE=2>Even though your posting included hashed passwords, since the hashing </FONT>
<BR><FONT SIZE=2>algorithm is very strong, we do not believe that any BIG/ip or 3DNS units </FONT>
<BR><FONT SIZE=2>have a security risk at this time.</FONT>
</P>
<P><FONT SIZE=2>Customer feedback like this has helped us improve the quality of the products </FONT>
<BR><FONT SIZE=2>since their inception, not only in security, but in capabilities and </FONT>
<BR><FONT SIZE=2>usability. We are very grateful!</FONT>
</P>
<BR>
<P><FONT SIZE=2>Rob Gilde</FONT>
<BR><FONT SIZE=2>Product Development Manager</FONT>
<BR><FONT SIZE=2>voice: 206-505-0857</FONT>
<BR><FONT SIZE=2>email: rob@f5.com</FONT>
</P>
<P><FONT SIZE=2>F5 Networks, Inc.</FONT>
<BR><FONT SIZE=2>200 First Avenue West, Suite 500</FONT>
<BR><FONT SIZE=2>Seattle, WA 98119</FONT>
<BR><FONT SIZE=2><A HREF="http://www.f5.com" TARGET="_blank">http://www.f5.com</A></FONT>
<BR><FONT SIZE=2>1-888-88BIGIP</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01BF2BF0.D1A9C880--
