[12542] in bugtraq
Re: F5 Networks Security Advisory (fwd)
daemon@ATHENA.MIT.EDU (Mike Johnson)
Fri Nov 12 11:59:03 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.3.32.19991111124814.01a1078c@192.133.124.9>
Date: Thu, 11 Nov 1999 12:48:14 -0500
Reply-To: Mike Johnson <mike.johnson@GD-CS.COM>
From: Mike Johnson <mike.johnson@GD-CS.COM>
X-To: pedward@WEBCOM.COM, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199911110619.WAA14731@eris.webcom.com>
Okay, first off, I've never used anything from F5. In fact, I don't
think I've ever seen anything from them, firsthand. However, my
thoughts on this are generic enough that this shouldn't matter.
At 10:18 PM 11/10/99 -0800, pedward@WEBCOM.COM wrote:
>First of all, it's just stupid to sit here and say "They ship a product with
>a security hole, because it has a support password that is root priv'd".
How is this different from the backdoors that were found in other network
equipment, not too long ago?
>They assured me that they rotate the passwords on a regular basis to
ensure >that accountability is retained internally.
What is that regular basis? Hourly? Daily? Weekly? Monthly? Yearly?
There's still at least two boxes out there with the same password.
>If the device shipped with a password that was obtained via a hex dump of
a >ROM, I could understand, but we're talking about a password that requires
>many hours of CPU time, or hundreds of thousands of dollars of hardware.
No, we're talking about a password that is identical on at least two systems.
This is bad, in my opinion.
>I don't like good people like F5 getting grilled, and sending me a stupid
>advisory, because someone cried the equivelent of 'Y2K bug'.
Again, if I had a system from F5, this bug would at least annoy me.
>Hey everybody, <insert fav dist> ships with a UID 0 account, it's password
>is probably guessable.
This is what I really wanted to comment about. First, why do the systems
ship with a password at all? None of the OSes I've used ship with one,
but they do -require- you to create a password for the 'root' account
when you are physically at the terminal during install, or at first boot.
Without doing this, the system never boots entirely. Or, it's done a
different way. Take Cisco routers (at least the one's I've used) for
example. You cannot remotely log into them if a password is not set.
Setting the password is as simple as plugging in a serial cable. I think
F5 could/should do something similar to this, regardless of which IP
addresses are allowed to connect to the system.
>Grr, this just makes me mad that we're discussing this.
I see it as a security related bug. Now, I'll probably never buy an F5
product, or be in any way involved in a purchasing decision related to
an F5 product, but that has nothing to do with this bug. Still, I find
it interesting and I believe that it does belong on BUGTRAQ.
>--Perry
Mike
--
Mike Johnson - mike.johnson@gd-cs.com
Network Engineer - New Technology Group
General Dynamics - All opinions are mine, not General Dynamics'.
