Re: BigIP - bigconf.cgi holes

[r.gilde () F5 COM (Rob Gilde)]

Guy Cohen writes:
| unfortunately This effects version 2.1.2 too.
| I have added (using the html interface) user with READ-ONLY access, logged
| in as this user and by executing
| 'bigconf.cgi?command=view_textfile&file=/etc/master.passwd&filters=;' I was
| able to see the the encrypted passwords in /etc/master.passwd witch is for
| root eyes only.

Good point.  That slipped past us.  We will release a patch on Thursday
11/10, Version 2.1.2 PTF-02.  Hopefully this will not be a problem for
most customers since they are very unlikely to give access to a
malicious user.  The patch will be available through the normal means.

Ejovi Nuwere writes:
| So if I understand correctly, F5 has made many improvements to the
| security of BigIP. Now was adding a second account with uid 0 without the
| knowlede of the user part of that plan?

| This is blatently bad security practice, every BigIP box I have come
| across has this account. Not only did you add a shell account, but you did
| the same for the browser configuration tool:

The second account has always been part of the product, so it is not
something that we slipped in.  It has always been visible to any user who
looked for it.  Most importantly, the account is only used by F5 Networks
when a customer has explicitly requested that F5 do so.  I apologize to any
customers who were caught unaware of this.

In any case, now that you've brought up the subject, we have re-evaluated
the advantages and disadvantages of having this account and we have decided
to henceforth disable it by default.  We will be contacting each of our
customers individually and recommending that they disable the support
account or change the password.

Even though your posting included hashed passwords, since the hashing
algorithm is very strong, we do not believe that any BIG/ip or 3DNS units
have a security risk at this time.

Customer feedback like this has helped us improve the quality of the products
since their inception, not only in security, but in capabilities and
usability.  We are very grateful!

Rob Gilde
Product Development Manager
voice: 206-505-0857
email: rob () f5 com

F5 Networks, Inc.
200 First Avenue West, Suite 500
Seattle, WA 98119
http://www.f5.com
1-888-88BIGIP

<!-- body="end" -->
<HR>

<UL>
<LI><STRONG>Next message:</STRONG> Gwendolynn ferch Elydyr: "F5 Networks Security Advisory (fwd)"
<LI><STRONG>Previous message:</STRONG> Richard Trott: "Re: BIND NXT Bug Vulnerability"
<LI><STRONG>In reply to:</STRONG> Elias Levy: "BIND NXT Bug Vulnerability"
</UL>
<HR>

<SMALL>

This archive was generated by hypermail 2.0b3 
on Wed Nov 10 1999 - 21:08:35 CST</EM>
</EM>
</SMALL>
</BODY>
</HTML>