Bugtraq mailing list archives
Re: F5 Networks Security Advisory (fwd)
From: mike.johnson () GD-CS COM (Mike Johnson)
Date: Thu, 11 Nov 1999 12:48:14 -0500
Okay, first off, I've never used anything from F5. In fact, I don't think I've ever seen anything from them, firsthand. However, my thoughts on this are generic enough that this shouldn't matter. At 10:18 PM 11/10/99 -0800, pedward () WEBCOM COM wrote:
First of all, it's just stupid to sit here and say "They ship a product with a security hole, because it has a support password that is root priv'd".
How is this different from the backdoors that were found in other network equipment, not too long ago?
They assured me that they rotate the passwords on a regular basis to
ensure >that accountability is retained internally. What is that regular basis? Hourly? Daily? Weekly? Monthly? Yearly? There's still at least two boxes out there with the same password.
If the device shipped with a password that was obtained via a hex dump of
a >ROM, I could understand, but we're talking about a password that requires
many hours of CPU time, or hundreds of thousands of dollars of hardware.
No, we're talking about a password that is identical on at least two systems. This is bad, in my opinion.
I don't like good people like F5 getting grilled, and sending me a stupid advisory, because someone cried the equivelent of 'Y2K bug'.
Again, if I had a system from F5, this bug would at least annoy me.
Hey everybody, <insert fav dist> ships with a UID 0 account, it's password is probably guessable.
This is what I really wanted to comment about. First, why do the systems ship with a password at all? None of the OSes I've used ship with one, but they do -require- you to create a password for the 'root' account when you are physically at the terminal during install, or at first boot. Without doing this, the system never boots entirely. Or, it's done a different way. Take Cisco routers (at least the one's I've used) for example. You cannot remotely log into them if a password is not set. Setting the password is as simple as plugging in a serial cable. I think F5 could/should do something similar to this, regardless of which IP addresses are allowed to connect to the system.
Grr, this just makes me mad that we're discussing this.
I see it as a security related bug. Now, I'll probably never buy an F5 product, or be in any way involved in a purchasing decision related to an F5 product, but that has nothing to do with this bug. Still, I find it interesting and I believe that it does belong on BUGTRAQ.
--Perry
Mike -- Mike Johnson - mike.johnson () gd-cs com Network Engineer - New Technology Group General Dynamics - All opinions are mine, not General Dynamics'.
Current thread:
- F5 Networks Security Advisory (fwd) Gwendolynn ferch Elydyr (Nov 10)
- Re: F5 Networks Security Advisory (fwd) pedward () WEBCOM COM (Nov 10)
- Re: F5 Networks Security Advisory (fwd) Mike Johnson (Nov 11)
- Re: F5 Networks Security Advisory (fwd) pedward () WEBCOM COM (Nov 11)
- FormHandler.cgi Mnemonix (Nov 11)
- Re: FormHandler.cgi m4rcyS (Nov 16)
- hping2 antirez () INVECE ORG (Nov 16)
- Re: F5 Networks Security Advisory (fwd) Mike Johnson (Nov 11)
- Re: F5 Networks Security Advisory (fwd) Rogier Wolff (Nov 12)
- Re: F5 Networks Security Advisory (fwd) pedward () WEBCOM COM (Nov 10)