sb-eu logo
Story image

F5 Networks' BIG-IP load balancer product vulnerable to attack

13 Aug 2019

Organisations that use F5 Networks BIG-IP load balancer should immediately check their configurations to ensure they are protected from potentially serious security issues.

Cybersecurity firm F-Secure spotted security issues in the BIG-IP load balancer, caused by common product configurations. Attackers could exploit these configurations to gain access to networks and conduct attacks, or attackers could targets those using web services managed by a compromised device.

According to F-Secure, the security issue is related to BIG-IP’s iRules. The Tcl programming language is not secure, and certain coding practices could allow attackers to inject arbitrary Tcl commands, which could be executed in the target Tcl script’s security context.

F-Secure states that attackers who exploit these iRules can use the compromised BIG-IP device to launch more attacks, putting the target organisation at serious risk of a breach. 

Attackers could also monitor and manipulate web traffic, which could lead to data breaches such as credential exposure and potential attacks on individuals.

Attacks could be as easy as submitting a command or code as a web request. In some cases, the device will not even record the attacker’s actions, which means the attacker could wipe logs and leave no trace that they were ever in the system.

While this type of coding vulnerability is known, F-Secure is drawing to the vulnerability in BIG-IP devices because of its popularity amongst banks, governments, and other large organisations.

“This configuration issue is really quite severe because it’s stealthy enough for an attacker to get in, achieve a wide variety of objectives, and then cover their tracks,” comments F-Secure senior security consultant Christoffer Jerkeby. 

“Plus, many organisations aren’t prepared to find or fix issues that are buried deep in software supply chains, which adds up to a potentially big security problem. Unless you know what to look for, it’s tough to foresee this problem occurring, and even harder to deal with in an actual attack.”  

F-Secure researchers spotted more than 300,000 active BIG-IP implementations active on the internet, but Jerkeby suspects there are many more operating.

“Unless an organisation has done an in-depth investigation of this technology, there’s a strong chance they’ve got this problem,” says Jerkeby. 

“Even someone incredibly knowledgeable about security that works at a well-resourced company can make this mistake. So, spreading awareness about the issue is really important if we want to help organisations better protect themselves from a potential breach scenario.”

F-Secure is advising organisations to find out if they have been affected. 

Jerkeby has helped to develop two publicly available open source tools (TestTcl and Tclscan) that can analyse Tcl scripts. TestTcl is a library for unit testing BIG-IP iRules. Tclscan is a tool that (lexically) scans Tcl code specifically for command injection flaws.

“The upside of this kind of security problem is that not everyone using the product will be affected,” says Jerkeby.

“But the downside is that the problem can’t be fixed with a patch or software update from the vendor, so it’s up to organisations to do the work to check to see if they have this issue, and fix it if they find it. That’s why it’s important for anyone using BIG-IP to be proactive about this.”

Story image
Businesses move to cloud-based security solutions in a bid to support remote working
Cloud-based security tools are becoming increasingly popular following the rise in remote working during COVID-19, including a marked increase in businesses using such tools to protect of corporate financial information.More
Story image
CrowdStrike recognised as leading endpoint security vendor on global scale
IDC's report shows that CrowdStrike demonstrated a 2018-2019 growth rate of 99% and close to doubled its market share, while the market shares of the top three vendors in the corporate endpoint segment declined.More
Story image
Cyber attacks use LinkedIn to target companies and employees
The attacks, which ESET researchers have called Operation In(ter)ception, took place from September to December 2019 and are notable for using LinkedIn-based spearphishing. More
Story image
Rackspace and Cloudflare join forces for managed edge security
Rackspace and Cloudflare join forces for managed edge security The solution includes a web application firewall, DDoS protection, DNS services and a global content delivery network, backed by 24/7 support.More
Story image
Australians ignoring cybersecurity policies in favour of productivity
Trend Micro has found that 67% of remote workers have increased their cybersecurity awareness during COVID-19 related lockdowns. However, despite greater awareness people may still engage in risky behaviour, the survey finds.More
Story image
Remote working trend bolsters cybersecurity investment - but downturn predicted
A new report from Canalys indicates investment in cybersecurity has increased 9.7% - but worsening economic conditions could turn the statistic around.More