Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Hackers Are Actively Exploiting BIG-IP Vulnerability With a 9.8 Severity Rating (arstechnica.com) 36

An anonymous reader quotes a report from Ars Technica: Researchers are marveling at the scope and magnitude of a vulnerability that hackers are actively exploiting to take full control of network devices that run on some of the world's biggest and most sensitive networks. The vulnerability, which carries a 9.8 severity rating out of a possible 10, affects F5's BIG-IP, a line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing into and out of networks. There are more than 16,000 instances of the gear discoverable online, and F5 says it's used by 48 of the Fortune 50. Given BIG-IP's proximity to network edges and their functions as devices that manage traffic for web servers, they often are in a position to see decrypted contents of HTTPS-protected traffic.

Last week, F5 disclosed and patched a BIG-IP vulnerability that hackers can exploit to execute commands that run with root system privileges. The threat stems from a faulty authentication implementation of the iControl REST, a set of web-based programming interfaces for configuring and managing (PDF) BIG-IP devices. "This issue allows attackers with access to the management interface to basically pretend to be an administrator due to a flaw in how the authentication is implemented," Aaron Portnoy, the director of research and development at security firm Randori, said in a direct message. "Once you are an admin, you can interact with all the endpoints the application provides, including execute code."

Images floating around Twitter in the past 24 hours show how hackers can use the exploit to access an F5 application endpoint named bash. Its function is to provide an interface for running user-supplied input as a bash command with root privileges. While many images show exploit code supplying a password to make commands run, exploits also work when no password is supplied. [...] Elsewhere on Twitter, researchers shared exploit code and reported seeing in-the-wild exploits that dropped backdoor webshells that threat actors could use to maintain control over hacked BIG-IP devices even after they're patched.
BIG-IP users can check exploitability via a one-line bash script that can be found here.
This discussion has been archived. No new comments can be posted.

Hackers Are Actively Exploiting BIG-IP Vulnerability With a 9.8 Severity Rating

Comments Filter:
  • I mean, seriously, how do you NOT notice something like that before shipping?

    • by sinij ( 911942 ) on Monday May 09, 2022 @08:29PM (#62518330)
      The bug is not obvious. Here is good technical description. [randori.com].
      • Exposing the full jackpot to the public internet on your primary network security device through an exploit in the authentication module - what's not to love? If it bug was massively obvious or the result of the kind of dumbassery we used to see (cleartext secrets, weak hashing, SQL injection attacks, cross-site scripting, that kind of thing) it would have scored the perfect 10.

        Except for that bastard judge from East Germany - they would still only given up a 7.

        • This one involves hardcoded credentials.

        • The vulnerability is not exposed to the public internet or primary network - it is on the management interface only. Where I work, only the admins can access that network and we have to VPN into it (and when I'm not in the office, I actually have to use two VPNs simultaneously to get there). The only way this would be true is if you jacked your management port into your public internet and then didn't use a firewall, or you manually turned on/forced the iControl interface to be on a self-IP which is not the
      • From your description:

        "if a request is received without the X-F5-Auth-Token, it is assumed to be administrative and only the username of the HTTP Basic header will be verified to match either admin or root... These are the credentials that were observed to be hardcoded into the application for use to send trusted requests."

        Their basic security model is fucked. If a bug this serious is in the system, then there are more bugs waiting to be found. I would not let this device on the public internet.

        • Or the vulnerability is deliberate, to serve the desires of various national security agencies. Cisco has had a history of baking in such credentials, it would not shock me if this were considered a useful feature by someone at Big-IP who shared the vulnerability with their after-hours consulting employer.

        • by sinij ( 911942 )
          The request in question is from frontend to backend. Yes, security model is fucked, but that is not obvious. To me, obvious is something you can discover via blackbox testing. This isn't it - you need to reverse communication between internal components.
      • by AmiMoJo ( 196126 )

        I'd say it's obvious. They hard coded certain credentials as a way to trust local requests without authenticating them, and assumed that requests coming from other hosts could not mimic them.

        That's a very common mistake - assuming that external data cannot be something, or that another application (in this case Apache) will sanitize the data for you so it can be trusted.

        There are two massive red flags there. A security audit should have picked them up, and a security minded developer should never have desig

        • by sinij ( 911942 )
          My understanding is that root cause of the bug is assuming default state is authenticated. Secondary and much more minor mistake was assuming that internal data transfer is not accessible to the outside attacker. When attackers managed to strip authentication data via novel abuse of HTTP backend server accepted remaining data as coming from an authorized administrator.
      • It might not be obvious, but it sure as shit is the result of pretty lackadaisical approach to security. "Defense in depth" should be the underlying principle, not "defense if all these separate components work just right".

            It speaks of pretty piss-poor engineering from F5.

  • I wonder how stuff like this can even happen? A REST interface is nice, but sometimes I wonder if there are so many moving parts that a supply chain attack or something like this is all but inevitable.

    Wonder if it might help things to have commands done via SSH and SSH keys.. That way, some random Internet user would at least get the middle finger if they tried to connect to port 22 before access to any commands is available, so there is some baseline of security and authentication. It may not be as easy as a REST statement, but because it is a "lower to the ground" protocol, it would be more secure.

    • This type of argument never works against megacorp executives in board-room meetings. They're always excited to spend money on any features that devalue expertise because it makes them dream they could do the work themselves without hiring anyone at all, as though they actually would... which, granted, is a ridiculous notion, but they don't operate on rational arguments. They're bored by rational arguments.

      • You're missing the other half: accountability. It's not like a bad decision at the executive level will actually ever lead to anything other than a golden parachute. If these martini soaked assholes ever got thrown into jail for their malfeasance, we might see better run organizations. But I still wouldn't hold my breath for it.
    • by AmiMoJo ( 196126 )

      They decided to make configuration "easy" but offering a web interface, but didn't properly control non-administrator user's access. Anyone with access to that web interface can open a Bash shell with root privileges and execute any commands they want.

      It's a classic flaw, someone forgot to add the necessary authentication code to that particular part of the web interface, or maybe they thought that only administrators could gain access to it so no need to check again.

  • This bug can only be triggered if the attacker has access to the managment interface of the network device. In that case the main problem is that exposure. No real network admin would ever expose that management interface.

    • And luckily no machine ever on the admin net have been compromised in the history of man. Also ignore that there are tons of "network admins" out there that opens this externally for remote admin.
      • Also ignore that there are tons of "network admins" out there that opens this externally for remote admin.

        If I were management in a company and found that a network admin connected the "out of band management" port to any network that could be reached from the Internet, that network admin would be immediately available for hire elsewhere.

        • That might be but it happens all the time in lots of companies. It's just much easier to connect the admin port to Internet and hire some admins from overseas (or to work from home) than to do it the right way.
  • "to access an F5 application endpoint named bash. Its function is to provide an interface for running user-supplied input as a bash command with root privileges"
    Why did anyone think this is a good thing? It sounds more like a comedy skit nobody would ever believe. I'm having a hard time wrapping my head around this and all the fucked up things there must be in that company to ever have allowed it, let alone testing the hell out of it. Product sounds like radioactive garbage.

Keep up the good work! But please don't ask me to help.

Working...