Re: F5 Networks Security Advisory (fwd)

[mike.johnson () GD-CS COM (Mike Johnson)]

Okay, first off, I've never used anything from F5.  In fact, I don't
think I've ever seen anything from them, firsthand.  However, my
thoughts on this are generic enough that this shouldn't matter.

At 10:18 PM 11/10/99 -0800, pedward () WEBCOM COM wrote:

> First of all, it's just stupid to sit here and say "They ship a product with
> a security hole, because it has a support password that is root priv'd".

How is this different from the backdoors that were found in other network
equipment, not too long ago?

> They assured me that they rotate the passwords on a regular basis to
ensure >that accountability is retained internally.

What is that regular basis?  Hourly?  Daily?  Weekly?  Monthly?  Yearly?
There's still at least two boxes out there with the same password.

> If the device shipped with a password that was obtained via a hex dump of
a >ROM, I could understand, but we're talking about a password that requires
> many hours of CPU time, or hundreds of thousands of dollars of hardware.

No, we're talking about a password that is identical on at least two systems.
This is bad, in my opinion.

> I don't like good people like F5 getting grilled, and sending me a stupid
> advisory, because someone cried the equivelent of 'Y2K bug'.

Again, if I had a system from F5, this bug would at least annoy me.

> Hey everybody, <insert fav dist> ships with a UID 0 account, it's password
> is probably guessable.

This is what I really wanted to comment about.  First, why do the systems
ship with a password at all?  None of the OSes I've used ship with one,
but they do -require- you to create a password for the 'root' account
when you are physically at the terminal during install, or at first boot.
Without doing this, the system never boots entirely.  Or, it's done a
different way.  Take Cisco routers (at least the one's I've used) for
example.  You cannot remotely log into them if a password is not set.
Setting the password is as simple as plugging in a serial cable.  I think
F5 could/should do something similar to this, regardless of which IP
addresses are allowed to connect to the system.

> Grr, this just makes me mad that we're discussing this.

I see it as a security related bug.  Now, I'll probably never buy an F5
product, or be in any way involved in a purchasing decision related to
an F5 product, but that has nothing to do with this bug.  Still, I find
it interesting and I believe that it does belong on BUGTRAQ.

> --Perry

Mike

--
Mike Johnson - mike.johnson () gd-cs com
Network Engineer - New Technology Group
General Dynamics - All opinions are mine, not General Dynamics'.