F5 BIG-IP Has Huge, Enormous, Bad, Scary Security Holes (Patch NOW)

Drop everything: A CVSS score of 10 is as bad as it gets. Trivial to exploit, this F5 BIG-IP vulnerability lets criminals pwn your entire network, and redirect your customers elsewhere.

F5’s enterprise LTM-cum-GTM boxes also harbor another bug. But this one “only” scores 7.5.

Even if your kit is protected via VLAN or firewall, say, get that patch installed—pronto. In today’s SB Blogwatch, we scurry to fix.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: UOofGB desecrates KT.


Hair. On. Fire.

What’s the craic? Lindsey O’Donnell reports—“Admins Urged to Patch Critical F5 Flaw Under Active Attack”:

 F5 Networks issued urgent patches for the critical remote code-execution flaw … which has a CVSS score of 10 out of 10. The flaw exists in … the company’s BIG-IP app delivery controllers, which are used for various networking functions, including app-security management and load-balancing.

Researchers warn that they’ve seen attackers targeting the flaw … launching Mirai variant DvrHelper, deploying cryptocurrency mining malware, and scraping credentials. … Vulnerable versions of BIG-IP (11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x) should be updated.

Another flaw was also fixed last week in BIG-IP that could allow an authenticated attacker to launch cross-site scripting attacks. [It] allows attackers to run malicious JavaScript code as a logged-in user.

And Andy Greenberg berg—“For companies that haven’t patched their BIG-IP products, it may already be too late”:

 Any company that uses a certain piece of networking equipment from Seattle-based F5 Networks had a rude interruption to their July 4 weekend, as a critical vulnerability turned the holiday into a race to implement a fix. … Government agencies, including the United States Computer Emergency Readiness Team and Cyber Command, sounded the alarm.

Hacking techniques … could fully take control of the networking equipment, offering access to all the traffic they touch and a foothold for deeper exploitation of any corporate network that uses them. [A] directory traversal bug in the web-based management interface … was exacerbated by another bug that allows an attacker to run a “shell,” [which] lets a hacker run any code on them that they choose.

Hackers could, for instance, intercept and redirect transactions made through a bank’s website, or steal users’ credentials. … Since BIG-IP devices have the ability to decrypt traffic bound for web servers, an attacker could even … steal the encryption keys that guarantee the security of an organization’s HTTPS traffic with users. … An attacker could redirect traffic to a server under their control, or even inject malicious content into traffic to target other users.

It can be pulled off in its simplest form just by tricking someone into visiting a carefully crafted URL. … Many firms now need not only to update their BIG-IP equipment, but also test it for exploitation and hunt around their networks for signs that it may have already been used as an entry point for intruders.

When reached for comment, F5 directed [me] to a security advisory the company posted on June 30. “This vulnerability may result in complete system compromise,” the page reads.

No kidding? Mikhail Klyuchnikov discovered the two RCE vulns—“F5 fixes critical vulnerability”:

 The BIG-IP application delivery controller [is] used by some of the world’s biggest companies. … In June 2020, there were more than 8,000 vulnerable devices available [on] the internet.

Vulnerability CVE-2020-5902 received a CVSS score of 10, indicating the highest degree of danger. [And an] XSS vulnerability CVE-2020-5903 (score: 7.5) enables running malicious JavaScript code.

Exploited much? Lawrence Abrams yells, “Patch now!”:

 Two days after patches for critical F5 BIG-IP vulnerability were released, security researchers have started publicly posting proof-of-concept … exploits, to show how easy it is. … F5 customers using BIG-IP devices and solutions include governments, Fortune 500 firms, banks, Internet services providers … Microsoft, Oracle, and Facebook.

Without a doubt, APT, state-sponsored actors, and ransomware operators will, if not already, use these vulnerabilities to try and breach your network. Patch now!

And worse. Troy Mursch—@bad_packets—has #threatintel:

Most of the vulnerable F5 servers … use the default SSL cert with “MyCompany” and “localhost.localdomain” making identification of the responsible party very difficult. … Anyone have a security contact at Boeing? … Anyone have a security contact at Disney?

System administrators need to upgrade to fixed versions ASAP. A proof-of-concept exploit is now publicly available.

CVE-2020-5902 … critical vulnerability allows unauthenticated remote attackers to execute arbitrary commands on the targeted server. … Opportunistic mass scanning and exploit activity continues to target F5 BIG-IP servers vulnerable to [it].

So mrkoot asks the question:

 What explains the existence of 90s-style unauthenticated critical path traversal / code execution vulns in enterprise-grade application delivery products? … How is it that these … categories of bugs are overlooked in such products, in some cases for years?

I’d expect reasonably competent security testers would have discovered this, … given the right conditions: sufficient time, focus, and access to relevant source code and configuration files. These companies have plenty of resources to attract talent.

My reflex when learning about such vulnerabilities is to laugh out loud. … But in fact there’s very little fun about hospitals, universities, NGOs, banks, insurance companies, multinationals, governments, defense industry etc. around the globe being exposed to exploitation of these bugs, often even in internet-facing code, via trivial and reliable attacks.

Would love to see vendors perform root cause analysis and be transparent about the outcomes. … For all vendors and societies at large to actually learn something and act on it.

But publicly available? Get off my lawn, sighs Your Average Joe:

 We have some stupid people out there. … No need to expose the management web interface to the internet.

We have been using VLANs and private networks for decades. Must be some young kid that says IPv6 means we will not need any more of those pesky firewalls.

Still not convinced it’s bad? Here’s kevvyg:

 This one is just so bad. Gonna take a minute to break it down for folks who have F5 in their environment.

BIG-IP on LTM … is what you traditionally think of as a load balancer. Sends traffic to healthy systems, takes unhealthy hosts out of the pool. … LTMs handle SSL/TLS termination [and] provide content injection via iRules, F5’s proprietary scripting language. … Imagine an iRule that scraped credentials or payment info.

GTMs are essentially very powerful DNS servers. They can redirect, based on geographic location and many other factors, any DNS record to whatever IP address is defined in the GTM. … Imagine a bad guy … can redirect any DNS call … to the server of their choosing.

This is probably one of the most impactful vulnerabilities I’ve seen in my 20+ years in infosec. It’s not just the ability to compromise one LTM or GTM. It’s the ability to compromise any application sitting behind one. … It’s really bad.

tl;dr? dsXLII summarizes:

 Since F5 gear tends to be connected to many different network segments, and can often decrypt traffic passing through it, this is a Very Bad place to have a security issue.

Meanwhile, is AmazingRuss implying an implication?

 This is why, each morning, I mail myself a picture of my ****, so the FBI agent reading my mail has to look at it.

And Finally:

Don’t let Kate Bush see this video

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Michael Schwarzenberger (via Pixabay)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 399 posts and counting.See all posts by richi