[12547] in bugtraq
Re: F5 Networks Security Advisory (fwd)
daemon@ATHENA.MIT.EDU (pedward@WEBCOM.COM)
Fri Nov 12 12:43:45 1999
Content-Type: text
Message-Id: <199911111820.KAA00453@eris.webcom.com>
Date: Thu, 11 Nov 1999 10:20:16 -0800
Reply-To: pedward@WEBCOM.COM
From: pedward@WEBCOM.COM
X-To: Mike Johnson <mike.johnson@GD-CS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3.0.3.32.19991111124814.01a1078c@192.133.124.9> from "Mike
Johnson" at Nov 11, 99 12:48:14 pm
>
> Okay, first off, I've never used anything from F5. In fact, I don't
> think I've ever seen anything from them, firsthand. However, my
> thoughts on this are generic enough that this shouldn't matter.
>
> At 10:18 PM 11/10/99 -0800, pedward@WEBCOM.COM wrote:
>
> >First of all, it's just stupid to sit here and say "They ship a product with
> >a security hole, because it has a support password that is root priv'd".
>
> How is this different from the backdoors that were found in other network
> equipment, not too long ago?
In the other systems, the password was obtained through a hex dump of the firmware,
this is Extended DES encoded, much stronger than anything in firmware, to date.
>
> >They assured me that they rotate the passwords on a regular basis to
> ensure >that accountability is retained internally.
>
> What is that regular basis? Hourly? Daily? Weekly? Monthly? Yearly?
> There's still at least two boxes out there with the same password.
I was told monthly.
>
> >If the device shipped with a password that was obtained via a hex dump of
> a >ROM, I could understand, but we're talking about a password that requires
> >many hours of CPU time, or hundreds of thousands of dollars of hardware.
>
> No, we're talking about a password that is identical on at least two systems.
> This is bad, in my opinion.
How are they going to fulfill their support contract without it? They login
and upgrade your system for you, with your knowledge, of course.
>
> >I don't like good people like F5 getting grilled, and sending me a stupid
> >advisory, because someone cried the equivelent of 'Y2K bug'.
>
> Again, if I had a system from F5, this bug would at least annoy me.
It's not a bug, it's a policy decision. People are freaking over it because
of the mass hysteria created by 'ohh, you shouldn't have a vendor password'.
>
> >Hey everybody, <insert fav dist> ships with a UID 0 account, it's password
> >is probably guessable.
>
> This is what I really wanted to comment about. First, why do the systems
> ship with a password at all? None of the OSes I've used ship with one,
> but they do -require- you to create a password for the 'root' account
> when you are physically at the terminal during install, or at first boot.
> Without doing this, the system never boots entirely. Or, it's done a
> different way. Take Cisco routers (at least the one's I've used) for
> example. You cannot remotely log into them if a password is not set.
> Setting the password is as simple as plugging in a serial cable. I think
> F5 could/should do something similar to this, regardless of which IP
> addresses are allowed to connect to the system.
Unix is slightly different than embedded, but this could be achieved via:
/etc/securetty:
/dev/ttyS0
>
> >Grr, this just makes me mad that we're discussing this.
>
> I see it as a security related bug. Now, I'll probably never buy an F5
> product, or be in any way involved in a purchasing decision related to
> an F5 product, but that has nothing to do with this bug. Still, I find
> it interesting and I believe that it does belong on BUGTRAQ.
That's the point, it's not a 'bug', it's a policy set forth by F5. Someone
may disagreee with this policy, but I don't. I have faith in the security
they maintain, ot trust them with access to my box.
I didn't intend this to be an attack on you, I was addressing the list as a whole.
>
> >--Perry
>
> Mike
>
> --
> Mike Johnson - mike.johnson@gd-cs.com
> Network Engineer - New Technology Group
> General Dynamics - All opinions are mine, not General Dynamics'.
>
--Perry
--
Perry Harrington Director of zelur xuniL ()
perry@webcom.com System Architecture Think Blue. /\
