COMMAND

    BigIP

SYSTEMS AFFECTED

    Who uses BigIP

PROBLEM

    Ejovi Nuwere found  following.  F5  has made many  improvements to
    the security of BigIP. Now was adding a second account with uid  0
    without the knowlede of the user part of that plan?

        support:_J9..1fnHY9nqgjRyOV2:0:0:daemon:0:0:F5 Labs User Support:/root:/bin/bash

    This is blatently bad security practice.   Not only did you add  a
    shell account, but you did the same for the browser  configuration
    tool:

        bigip1:~# cat /var/f5/httpd/basicauth/users
        admin:MdA00w00w
        support:_J9..1fnHY9nqgjRyOV2
        bigip1:~#

SOLUTION

    These passwords are used by F5 support personnel to gain access to
    units in the field  when a customer has  requested them to do  so.
    The actual passwords are  still secret, however, knowledge  of the
    hashed version makes  it easier to  discover the password  itself.
    The  encryption  used  for  scrambling  the  support  password  is
    extended-DES and is not easily comprimised.

    Customers have always  had the ability  to change the  password on
    Big/IP  +  3DNS.   Those  who  have  done  this  are  not at risk.
    Further, by default, BIG/ip and 3DNS only allow login access  from
    F5's network address.  However, for the sake of convenience,  some
    customers  may  have  relaxed  this  restriction.   Also,  it   is
    possible for hackers to spoof a network address.

    In order to ensure maximum security for your system, we  recommend
    that  all  customers  change  their  support passwords immediately
    using the procedure outlined below.  F5 will release a patch  that
    automatically  removes  the  support  account  from  the  GUI  and
    disables  it  from  shell  access.   You  can  access  this  patch
    tomorrow  at  the  URL  listed  below,  however,  completing   the
    referenced  procedure  will  accomplish  the  same  actions as the
    patch.