Story image

F5 Networks' BIG-IP load balancer product vulnerable to attack

13 Aug 2019
Twitter
Facebook

Organisations that use F5 Networks BIG-IP load balancer should immediately check their configurations to ensure they are protected from potentially serious security issues.

Cybersecurity firm F-Secure spotted security issues in the BIG-IP load balancer, caused by common product configurations. Attackers could exploit these configurations to gain access to networks and conduct attacks, or attackers could targets those using web services managed by a compromised device.

According to F-Secure, the security issue is related to BIG-IP’s iRules. The Tcl programming language is not secure, and certain coding practices could allow attackers to inject arbitrary Tcl commands, which could be executed in the target Tcl script’s security context.

F-Secure states that attackers who exploit these iRules can use the compromised BIG-IP device to launch more attacks, putting the target organisation at serious risk of a breach. 

Attackers could also monitor and manipulate web traffic, which could lead to data breaches such as credential exposure and potential attacks on individuals.

Attacks could be as easy as submitting a command or code as a web request. In some cases, the device will not even record the attacker’s actions, which means the attacker could wipe logs and leave no trace that they were ever in the system.

While this type of coding vulnerability is known, F-Secure is drawing to the vulnerability in BIG-IP devices because of its popularity amongst banks, governments, and other large organisations.

“This configuration issue is really quite severe because it’s stealthy enough for an attacker to get in, achieve a wide variety of objectives, and then cover their tracks,” comments F-Secure senior security consultant Christoffer Jerkeby. 

“Plus, many organisations aren’t prepared to find or fix issues that are buried deep in software supply chains, which adds up to a potentially big security problem. Unless you know what to look for, it’s tough to foresee this problem occurring, and even harder to deal with in an actual attack.”  

F-Secure researchers spotted more than 300,000 active BIG-IP implementations active on the internet, but Jerkeby suspects there are many more operating.

“Unless an organisation has done an in-depth investigation of this technology, there’s a strong chance they’ve got this problem,” says Jerkeby. 

“Even someone incredibly knowledgeable about security that works at a well-resourced company can make this mistake. So, spreading awareness about the issue is really important if we want to help organisations better protect themselves from a potential breach scenario.”

F-Secure is advising organisations to find out if they have been affected. 

Jerkeby has helped to develop two publicly available open source tools (TestTcl and Tclscan) that can analyse Tcl scripts. TestTcl is a library for unit testing BIG-IP iRules. Tclscan is a tool that (lexically) scans Tcl code specifically for command injection flaws.

“The upside of this kind of security problem is that not everyone using the product will be affected,” says Jerkeby.

“But the downside is that the problem can’t be fixed with a patch or software update from the vendor, so it’s up to organisations to do the work to check to see if they have this issue, and fix it if they find it. That’s why it’s important for anyone using BIG-IP to be proactive about this.”