Hackers Are Actively Exploiting BIG-IP Vulnerability With a 9.8 Severity Rating (arstechnica.com) 36
An anonymous reader quotes a report from Ars Technica: Researchers are marveling at the scope and magnitude of a vulnerability that hackers are actively exploiting to take full control of network devices that run on some of the world's biggest and most sensitive networks. The vulnerability, which carries a 9.8 severity rating out of a possible 10, affects F5's BIG-IP, a line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing into and out of networks. There are more than 16,000 instances of the gear discoverable online, and F5 says it's used by 48 of the Fortune 50. Given BIG-IP's proximity to network edges and their functions as devices that manage traffic for web servers, they often are in a position to see decrypted contents of HTTPS-protected traffic.
Last week, F5 disclosed and patched a BIG-IP vulnerability that hackers can exploit to execute commands that run with root system privileges. The threat stems from a faulty authentication implementation of the iControl REST, a set of web-based programming interfaces for configuring and managing (PDF) BIG-IP devices. "This issue allows attackers with access to the management interface to basically pretend to be an administrator due to a flaw in how the authentication is implemented," Aaron Portnoy, the director of research and development at security firm Randori, said in a direct message. "Once you are an admin, you can interact with all the endpoints the application provides, including execute code."
Images floating around Twitter in the past 24 hours show how hackers can use the exploit to access an F5 application endpoint named bash. Its function is to provide an interface for running user-supplied input as a bash command with root privileges. While many images show exploit code supplying a password to make commands run, exploits also work when no password is supplied. [...] Elsewhere on Twitter, researchers shared exploit code and reported seeing in-the-wild exploits that dropped backdoor webshells that threat actors could use to maintain control over hacked BIG-IP devices even after they're patched. BIG-IP users can check exploitability via a one-line bash script that can be found here.
Last week, F5 disclosed and patched a BIG-IP vulnerability that hackers can exploit to execute commands that run with root system privileges. The threat stems from a faulty authentication implementation of the iControl REST, a set of web-based programming interfaces for configuring and managing (PDF) BIG-IP devices. "This issue allows attackers with access to the management interface to basically pretend to be an administrator due to a flaw in how the authentication is implemented," Aaron Portnoy, the director of research and development at security firm Randori, said in a direct message. "Once you are an admin, you can interact with all the endpoints the application provides, including execute code."
Images floating around Twitter in the past 24 hours show how hackers can use the exploit to access an F5 application endpoint named bash. Its function is to provide an interface for running user-supplied input as a bash command with root privileges. While many images show exploit code supplying a password to make commands run, exploits also work when no password is supplied. [...] Elsewhere on Twitter, researchers shared exploit code and reported seeing in-the-wild exploits that dropped backdoor webshells that threat actors could use to maintain control over hacked BIG-IP devices even after they're patched. BIG-IP users can check exploitability via a one-line bash script that can be found here.
CVSS is actually pretty awesome (Score:5, Informative)
CVSS is actually pretty darn cool. It gives a mostly objective way to rate and communicate the severity of any vulnerability.
It consists of three parts, with the Base Score being used most often. The base score is calculated from:
Exploitability Metrics
Attack Vector (AV)*
Attack Complexity (AC)*
Privileges Required (PR)*
User Interaction (UI)*
Scope (S)*
Impact Metrics
Confidentiality Impact (C)*
Integrity Impact (I)*
Availability Impact (A)*
So for example the PR component is whether it can be exploited by a random unauthenticated person, by an unprivileged user,.or by a privileged user. If a random salesperson you just hired can take over your AD, that's bad. If someone who isn't even in your company can take control of your AD, that's worse.
The interaction component distinguishes between something like a vulnerability in a pdf viewer that is triggered when a user opens the file, vs a vulnerability in Outlook or IIS that gives the bad guy access without anyone clicking anything.
Here's how this one is scored. It's in the news because it's high on all measures.
https://nvd.nist.gov/vuln-metr... [nist.gov]
PS Erelam (Score:2, Flamebait)
Btw, Erelam, you might consider just commenting on these you have SOME clue about. As opposed to saying stupid things about topics you know absolutely nothing about. That greatly reduces how much you look stupid.
Re: (Score:3)
I'm moved to wonder if you're professionally stupid or just coasting on natural talent.
Vulnerability scores are advisories - there's no product being sold.
Various versions of CVSS have been in use for over a decade.
CVSS was introduced by NIAC - a government agency.
Ok, is that deliberate? (Score:2)
I mean, seriously, how do you NOT notice something like that before shipping?
Re:Ok, is that deliberate? (Score:5, Informative)
Re: (Score:2)
Exposing the full jackpot to the public internet on your primary network security device through an exploit in the authentication module - what's not to love? If it bug was massively obvious or the result of the kind of dumbassery we used to see (cleartext secrets, weak hashing, SQL injection attacks, cross-site scripting, that kind of thing) it would have scored the perfect 10.
Except for that bastard judge from East Germany - they would still only given up a 7.
Re: (Score:2)
This one involves hardcoded credentials.
Re: (Score:1)
Re: (Score:2)
And that is probably why it's only a 9.8 instead of a perfect 10.
Re: (Score:2)
From your description:
"if a request is received without the X-F5-Auth-Token, it is assumed to be administrative and only the username of the HTTP Basic header will be verified to match either admin or root... These are the credentials that were observed to be hardcoded into the application for use to send trusted requests."
Their basic security model is fucked. If a bug this serious is in the system, then there are more bugs waiting to be found. I would not let this device on the public internet.
Re: (Score:2)
Or the vulnerability is deliberate, to serve the desires of various national security agencies. Cisco has had a history of baking in such credentials, it would not shock me if this were considered a useful feature by someone at Big-IP who shared the vulnerability with their after-hours consulting employer.
Re: (Score:2)
Re: (Score:2)
I'd say it's obvious. They hard coded certain credentials as a way to trust local requests without authenticating them, and assumed that requests coming from other hosts could not mimic them.
That's a very common mistake - assuming that external data cannot be something, or that another application (in this case Apache) will sanitize the data for you so it can be trusted.
There are two massive red flags there. A security audit should have picked them up, and a security minded developer should never have desig
Re: (Score:2)
Re: (Score:2)
It might not be obvious, but it sure as shit is the result of pretty lackadaisical approach to security. "Defense in depth" should be the underlying principle, not "defense if all these separate components work just right".
It speaks of pretty piss-poor engineering from F5.
How does stuff like this happen? Web complexity? (Score:3)
I wonder how stuff like this can even happen? A REST interface is nice, but sometimes I wonder if there are so many moving parts that a supply chain attack or something like this is all but inevitable.
Wonder if it might help things to have commands done via SSH and SSH keys.. That way, some random Internet user would at least get the middle finger if they tried to connect to port 22 before access to any commands is available, so there is some baseline of security and authentication. It may not be as easy as a REST statement, but because it is a "lower to the ground" protocol, it would be more secure.
Re: (Score:1)
This type of argument never works against megacorp executives in board-room meetings. They're always excited to spend money on any features that devalue expertise because it makes them dream they could do the work themselves without hiring anyone at all, as though they actually would... which, granted, is a ridiculous notion, but they don't operate on rational arguments. They're bored by rational arguments.
Re: (Score:2)
Re: (Score:2)
They decided to make configuration "easy" but offering a web interface, but didn't properly control non-administrator user's access. Anyone with access to that web interface can open a Bash shell with root privileges and execute any commands they want.
It's a classic flaw, someone forgot to add the necessary authentication code to that particular part of the web interface, or maybe they thought that only administrators could gain access to it so no need to check again.
Re: (Score:2, Funny)
Sometimes CTRL+R, sometimes F5.
Real problem is management interface exposed (Score:2)
This bug can only be triggered if the attacker has access to the managment interface of the network device. In that case the main problem is that exposure. No real network admin would ever expose that management interface.
Re: (Score:2)
Re: (Score:2)
Also ignore that there are tons of "network admins" out there that opens this externally for remote admin.
If I were management in a company and found that a network admin connected the "out of band management" port to any network that could be reached from the Internet, that network admin would be immediately available for hire elsewhere.
Re: (Score:2)
Re: (Score:2)
You: Alex, I'd like to buy Readability for $500.
Alex: The answer is "Make your screed readable?"
You: What is writing one gonzowhopper paragraph that only a dyspeptic ulcer of a techno-geek would actually read it?
Alex: I'm sorry, the question was "What are paragraphs?" Sorry.
Re: (Score:1)
The endpoint formerly named Bash (Score:2)
"to access an F5 application endpoint named bash. Its function is to provide an interface for running user-supplied input as a bash command with root privileges"
Why did anyone think this is a good thing? It sounds more like a comedy skit nobody would ever believe. I'm having a hard time wrapping my head around this and all the fucked up things there must be in that company to ever have allowed it, let alone testing the hell out of it. Product sounds like radioactive garbage.