[12524] in bugtraq
Re: F5 Networks Security Advisory (fwd)
daemon@ATHENA.MIT.EDU (pedward@WEBCOM.COM)
Thu Nov 11 12:27:47 1999
Content-Type: text
Message-Id: <199911110619.WAA14731@eris.webcom.com>
Date: Wed, 10 Nov 1999 22:18:54 -0800
Reply-To: pedward@WEBCOM.COM
From: pedward@WEBCOM.COM
X-To: gwen@reptiles.org
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.3.96.991110215347.12485v-100000@komodo.reptiles.org>
from "Gwendolynn ferch Elydyr" at Nov 10, 99 09:54:17 pm
I am upset about the recent thread about the Big/ip support account on Bugtraq.
First of all, it's just stupid to sit here and say "They ship a product with
a security hole, because it has a support password that is root priv'd".
I have known about this for nearly 2 years, questioned them initially, but wrote
it off as non-consequential.
First of all, the default config is very restrictive, and they don't recommend
the contrary.
The Big/ip products ship with the F5 labs firewall IP COMMENTED OUT of the sshd
config.
They assured me that they rotate the passwords on a regular basis to ensure that
accountability is retained internally.
If the device shipped with a password that was obtained via a hex dump of a ROM,
I could understand, but we're talking about a password that requires many hours
of CPU time, or hundreds of thousands of dollars of hardware.
I don't like good people like F5 getting grilled, and sending me a stupid advisory,
because someone cried the equivelent of 'Y2K bug'.
When will the discussion of real security threats, return to Bugtraq?
Hey everybody, <insert fav dist> ships with a UID 0 account, it's password is probably
guessable.
Grr, this just makes me mad that we're discussing this.
--Perry
--
Perry Harrington Director of zelur xuniL ()
perry@webcom.com System Architecture Think Blue. /\
