back to article F5: Don't panic but folks can slip past vulnerable firewall servers, thanks to libssh's credentials-optional 'security'

Network box maker F5 has shipped some firewall gear that is potentially vulnerable to the libssh authentication-bypass bug. That means anyone who can reach the at-risk systems over the network or internet can, depending on the configuration, tunnel through to backend infrastructure simply by asking nicely. The vulnerability, …

  1. angardner

    People still buying these overpriced hardware load balancer behemoths?? Shame on you

    1. Anonymous Coward
      Anonymous Coward

      Overpriced load balancer behemoths

      yes, they are still very much used - sometimes they are the only things approved for certain environments

      Anon because........

    2. Drew Scriver

      Here we go again...

      They're ADCs, not merely "load balancers", and yes, they still very much play a crucial role in today's fabric. Granted, many companies use them for little more than load balancing, but that's a whole different story. Kind of like using only the scissors of your Victorinox Champ and complaining how much the company charges for scissors.

      It's a bit baffling that El Reg calls them "load balancers", but then again, whomever wrote the article also doesn't seem to know how the name of F5's main product line is spelled.

      F5 stopped calling them load balancers over a decade ago. Gartner concurred. To top it off, the bug affects only the AFM-module. Load balancing is performed by the LTM-module...

      Rather sloppy reporting.

  2. rmason

    Loads of places

    Loads of places use them. At least when we last looked a few years back there wasn't much out there that could do the same level of packet manipulation at a similar cost. They aren't just "simple" load balancers.

    So, yes, they'll be all over the place

    1. W60

      Re: Loads of places

      100% agreed - looked at nginx last year and tried to see if we could replace our F5 setups and while it covered the basic functionality and some traffic manipulation their sales engineers in the end admitted it couldn't replicate the config....this said they cost a pretty penny but are usually rock solid devices which do what they say on the tin.

      When I read the article title it was a brown trouser moment thinking I was about to have a long weekend but the title did not match the content (dont use AFM)

    2. bombastic bob Silver badge
      Devil

      Re: Loads of places

      apparently this advisory has been claimed for FreeBSD, although the 'base' version of libssh isn't affected (according to the devs). Apparently a ports version might be, however.

      There seems to be a bit of FUD circulating around with respect to this advisory, but understandably so. I saw some reference to it affecting FreeBSD, but according to the devs, it's a different library in 'base'. Things using libssh from ports, on the other hand, may be affected. Not clear on whether or when it had the bug. Apparently patched now.

      AWS apparently claims they're using a different version of libssh, so no problems there. I have to wonder if they're running FreeBSD or OpenBSD... (and that THIS is the reason why they're not affected - forked from the BSD version maybe?)

  3. Anonymous Coward
    Anonymous Coward

    Clickbait title?

    The title and first paragraph suggest that "anyone can log into our load balancers", yet further down it states "There is no control plane exposure to this issue. It is only exposed when using the SSH proxy functionality ... could create channels without first performing authentication"

    I take it the vulnerability does not let anyone "log into" the machine but allows SOCKS-proxy connections via SSH.

    The bug is still critical, though, if connections *from* the F5 can access servers deeper inside the network, behind the outer firewall.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Clickbait title?

      "allows SOCKS-proxy connections via SSH"

      Yeah, we've updated the piece to clarify the impact. Ultimately, the bug can be exploited to reach backend systems, depending on the configuration.

      C.

  4. Claptrap314 Silver badge

    State machines are hard?

    LOL. Maybe this is why everywhere I go, I'm considered a regexp expert.

    State machines are NOT that hard. Certainly, we want to abstract them out most of the time, because we really don't want to think of a 32-bit register as >4 billion states. What's hard is when people fail to decouple the state machine from the rest of the code.

    And, yes, goto is still considered harmful, so if some junior programmer, especially without the appropriate training, attempts one, he's likely to mess it up as badly as anything else that he's not prepared to handle.

    For serious parsers, you might just want to look into these newfangled tools out there--they go by "lexx" and "yacc".

    I've never gone so far that I needed these tools, but then I'm a mathematician. I DO view processors as state machines, I just know when & how to abstract that detail away.

    1. Anonymous Coward
      Anonymous Coward

      Re: State machines are hard?

      Really? In my CP/M programming days (yes...that would be in the 1980's) my go to book for an excellent exposition of good design (often multiple improved designs) was the book "A Programmer's Notebook: Utilities for CP/M-80" by David E Cortesi. Assembler...1983!!

      One chapter developed an elegant and simple state machine....design considerations, program logic in structured English, final code in CP/M assembler. Even though I've moved on from CP/M assembler (!), David Cortesi's book has been a go to book for thirty years because it describes a robust process from design through implementation. With examples like this, how can someone say in 2018 that this type of programming is HARD?

      1. John Gamble

        Re: State machines are hard?

        "With examples like this, how can someone say in 2018 that this type of programming is HARD?"

        In part because Cortesi was a genius at producing spare, yet robust, code. There weren't many people who could match him for analysis of code or algorithms.

        It's great that he had examples that you could adapt for your own use, but not everyone has his books or columns instantly available to them.

  5. astounded1

    Yesterday's Fabric Needs Yesterday's Machines

    Isn't that why you have conversations over drinks, whispering in the corner, about how much longer you can milk the current gig?

  6. Chairman of the Bored

    I like the defensive programming reminder from AWS

    I'm not a good programmer and my knowledge of formal cs-jitsu is poor. I can't get an object to do what I want it to if I beat it with a cosh.

    But! My embedded code has worked very well.

    That's because I try to pre-compute everything I can ahead of time and load up ROM with lookup tables and whatnot. No ROM? Fine, static structures. State machine? No problem. I'm going to give you a table of pointers that cannot be modified at runtime. And because the state machine exists as a table ... we can formally evaluate its truth.

    Lookup tables and fixed point arithmetic... I consider it a personal accomplishment if I can avoid having to do any floating point math - even in instrumentation systems.

  7. Anonymous Coward
    Anonymous Coward

    F5 are awful

    Had this situation when Heartbleed came out. Heard about it at 3am, put a ticket in the following morning.

    F5 had (have?) a support system where they'll not tell you anything about a fix until it appears. The ticket would be closed a few days later, you'd have to keep opening tickets until they had a fix.

    This wasn't helped by them having old versions of everything. I'm specifically on about the VM version of their stuff btw in case they're listening.

    Only reason we didn't use HAProxy at the time is it didn't support Elliptic Curve. I have no fucking idea why people pay for their crap now.

    1. bwolmarans2

      Re: F5 are awful

      Having worked on the temporary workaround for heartbleed that same night it came out, I can't say I agree with every one of your points / opinions. It was deployed, and worked. Conversely, Haproxy users had no workaround ( as an example of just one reason to use one over the other ).

  8. Anne Hunny Mouse

    Cisco advisory for CVE-2018-10933

    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181019-libssh

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like