natali_mis - stock.adobe.com
F-Secure warns of F5 Big IP-related security issue
F-Secure has discovered security issues relating to an F5 device that it says could potentially turn hundreds of thousands of load balancers into beachheads for cyber attacks
Security firm F-Secure has issued a warning about security issues in some common configurations for F5 Networks’ Big-IP load balancer.
According to the security firm’s researchers, unless addressed, the issues could lead to cyber attacks on government departments, banks and large enterprises, where the device is widely deployed.
Adversaries can exploit insecurely configured load balancers to penetrate networks and perform a wide variety of attacks using web services managed by a compromised device, F-Secure warns.
The security issue relates to coding practices in the programming language tool command language (Tcl) used for Big-IP’s iRules, which direct incoming web traffic. Certain coding practices, the researchers said, allow attackers to inject arbitrary Tcl commands “which could be executed in the security context of the target Tcl script”.
Adversaries that successfully exploit insecurely configured iRules can use the compromised Big-IP device as a beachhead to launch further attacks, the researchers said, resulting in a potentially severe breach for an organisation.
Attackers could also intercept and manipulate web traffic, leading to the exposure of sensitive information, including authentication credentials and application secrets, as well as allowing the users of an organisation’s web services to be targeted.
In some cases, the researchers said exploiting a vulnerable system can be as simple as submitting a command or piece of code as part of a web request, that the technology will execute for the attacker.
Read more about risk assessment
- An important step to secure an industrial facility is performing an ICS risk assessment.
- IT staff needs to regularly review network security vulnerabilities and security gaps to battle rising cybersecurity breaches and keep costs under control through risk assessments.
- In assessing the cyber risks to a business, security professionals should start with the people in an organisation and keep them at the centre in identifying and mitigating risk, says consultant.
There are even cases where the compromised device will not record the adversaries’ actions, meaning there would be no evidence that an attack took place, the researchers warn. In other cases, an attacker could delete logs that contain evidence of their post-exploit activities.
F5 has issued a statement, making it clear that the vulnerability is not in Tcl or F5 products, but an issue relating to coding practices used in creating scripts.
“As with most programming or scripting languages, it is possible to write code in a way that creates vulnerabilities,” the statement said.
“We have been working with the researcher on documentation and notification to ensure customers can evaluate their exposure and take necessary steps to mitigate.
“The best practice for Tcl scripting is to escape all expressions, ensuring they are not substituted or evaluated unexpectedly. Customers are advised to evaluate Tcl scripts and make all changes they deem appropriate under this guidance.”
F-Secure senior security consultant Christoffer Jerkeby, who discovered the issue, said: “This configuration issue is really quite severe because it’s stealthy enough for an attacker to get in, achieve a wide variety of objectives, and then cover their tracks.
“In addition, many organisations aren’t prepared to find or fix issues that are buried deep in software supply chains, which adds up to a potentially big security problem. Unless you know what to look for, it’s tough to foresee this problem occurring, and even harder to deal with in an actual attack,” he said.
Jerkeby said he was able to discover more than 300,000 active Big-IP implementations on the internet during his research, but due to methodological limitations, he suspects the real number could be higher.
Although noting that not all users of Big-IP will be affected, Jerkeby said that the load balancer’s popularity among banks, governments, and other entities that provide online services to large numbers of people, combined with the relative obscurity of the underlying security issues with Tcl, means any organisation using Big-IP needs to investigate and assess its exposure.
“Unless an organisation has done an in-depth investigation of this technology, there’s a strong chance they’ve got this problem,” he said.
“Even someone incredibly knowledgeable about security who works at a well-resourced company can make this mistake. So, spreading awareness about the issue is really important if we want to help organisations better protect themselves from a potential breach scenario.”
F-Secure is advising all organisations using Big-IP to assess their risk in light of the fact that adversaries are able to scan the internet to identify and exploit vulnerable instances of the technology, and in some cases, automate this process.
Read more about configuration security risks
- Researchers at Palo Alto Networks have released details of the scale of misconfigured and exposed container services putting organisations at risk of cyber attack.
- A fresh Magecart campaign is breaching websites on a massive scale using indiscriminate attacks exploiting misconfigured Amazon S3 buckets, say researchers.
- In the year since the GDPR compliance deadline, the number of data files exposed online without adequate protection is up more than 50% due to misconfigured security controls, report reveals.
Furthermore, free trial versions of the technology are available, and cloud instances can be accessed from the AWS store for a minimal cost.
Jerkeby has helped develop two free, open-source tools that organisations can use to identify insecure configurations in their Big-IP implementations, but said: “There is no quick fix [like a security patch] for security issues like these, so it’s up to organisations to tackle the issue.
The first tool, TestTcl, is a library for unit testing Big-IP iRules. The second, Tclscan, is a tool that (lexically) scans Tcl code specifically for command injection flaws.