Massive vulnerability uncovered in popular networking device
- By Derek B. Johnson
- Jul 07, 2020
A particularly dangerous vulnerability has been uncovered in F5’s BIG-IP networking devices produced by F5, impacting enterprise networks across the globe.
According to F5, the remote code execution vulnerability exists in the traffic management user interface of the company’s BIG-IP networking devices, allowing unauthenticated attackers to launch RCE attacks, including creating or deleting files, disabling services and issuing other arbitrary system commands.
The vulnerability was rated “critical” and given a 10/10, the highest possible severity score, by the Common Vulnerability Scoring System. A patch was quickly developed, but information security professionals say the attack is simple to carry out and organizations may have already missed their opportunity to avoid exploitation.
Federal cybersecurity agencies sounded the alarm because the networking devices are a popular choice to support many enterprise; researchers have found thousands of such devices connected to the internet through Shodan. Government contracting records show a number of agencies that have either procured F5 BIG-IP devices or maintenance services for existing devices over the past five years, including the Departments of Commerce, Defense, State, multiple branches of the military, the FBI and a number of smaller agencies.
On July 3, U.S. Cyber Command advised organizations to “remediate immediately,” adding that patching the vulnerabilities “should not be postponed over the weekend.” The Cybersecurity and Infrastructure Security Agency put out an alert encouraging users to patch, and CISA Director Chris Krebs said his organization was already seeing reports of active scanning and possible exploitation of the vulnerability. Over the weekend, Krebs warned the “pre-exploit window to patch [is] slamming shut right in front of your eyes” and that organizations that hasn’t patched their devices by Sunday morning should “assume compromise.”
Curtis Dukes, former head of the Information Assurance Directorate at NSA and executive vice president at the Center for Internet Security, said that F5 BIG-IP devices are used by most large organizations, including major cloud service providers. Because it’s an RCE vulnerability, attacks can reach any device connected to the internet, regardless of where the attacker or device is located. A simple HTTP request can give attackers access to the server, where they can carry out credential theft, denial of service, file exfiltration or other attacks. He also highlighted cloud service providers and government entities that manage large datasets as particularly at-risk.
“Pretty much every industry sector uses the device and is likely susceptible -- if they are internet-facing -- to an attack,” Dukes said.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.