Hack Brief: Hackers Are Exploiting a 5-Alarm Bug in Networking Equipment

For companies that haven't patched their BIG-IP products, it may already be too late.
ethernet cables
Around 8,000 devices are at risk of a devastating vulnerability in BIG-IP networking devices.Photograph: Isa Yurtsever/Getty Images

Any company that uses a certain piece of networking equipment from Seattle-based F5 Networks had a rude interruption to their July 4 weekend, as a critical vulnerability turned the holiday into a race to implement a fix. Those who haven't done so by now may now have a much larger problem on their hands.

Late last week, government agencies, including the United States Computer Emergency Readiness Team and Cyber Command, sounded the alarm about a particularly nasty vulnerability in a line of BIG-IP products sold by F5. The agencies recommended security professionals immediately implement a patch to protect the devices from hacking techniques that could fully take control of the networking equipment, offering access to all the traffic they touch and a foothold for deeper exploitation of any corporate network that uses them. Now some security companies say they're already seeing the F5 vulnerability being exploited in the wild—and they caution that any organization that didn't patch its F5 equipment over the weekend is already too late.

"This is the pre-exploit window to patch slamming shut right in front of your eyes," wrote Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency, in a tweet Sunday afternoon. "If you didn’t patch by this morning, assume compromised."

The Hack

The F5 vulnerability, first discovered and disclosed to F5 by cybersecurity firm Positive Technologies, affects a series of so-called BIG-IP devices that act as load balancers within large enterprise networks, distributing traffic to different servers that host applications or websites. Positive Technologies found a so-called directory traversal bug in the web-based management interface for those BIG-IP devices, allowing anyone who can connect to them to access information they're not intended to. That vulnerability was exacerbated by another bug that allows an attacker to run a "shell" on the devices that essentially lets a hacker run any code on them that they choose.

The result is that anyone who can find an internet-exposed, unpatched BIG-IP device can intercept and mess with any of the traffic it touches. Hackers could, for instance, intercept and redirect transactions made through a bank's website, or steal users' credentials. They could also use the hacked device as a hop point to try to compromise other devices on the network. Since BIG-IP devices have the ability to decrypt traffic bound for web servers, an attacker could even use the bug to steal the encryption keys that guarantee the security of an organization's HTTPS traffic with users, warns Kevin Gennuso, a cybersecurity practitioner for a major American retailer. "It's really, really powerful," says Gennuso, who declined to name his employer but said that he'd spent much of the holiday weekend working to fix the security vulnerabilities in its F5 devices. "This is probably one of the most impactful vulnerabilities I’ve seen in my 20-plus years of information security, because of its depth and breadth and how many companies use these devices."

When reached for comment, F5 directed WIRED to a security advisory the company posted on June 30. "This vulnerability may result in complete system compromise," the page reads, before going on to detail how companies can mitigate it.

How Serious Is This?

F5's bug is particularly concerning because it's relatively easy to exploit while also offering a large menu of options to hackers. Security researchers have pointed out that the URL that triggers the vulnerability can fit into a tweet—one researcher from South Korea's Computer Emergency Response Team posted a two versions in a single tweet along with a video demo. Since the attack targets a vulnerable device's web interface, it can be pulled off in its simplest form just by tricking someone into visiting a carefully crafted URL.

While many of the public proofs of concept demonstrate only the most basic versions of the F5 attack, which merely grab an administrator’s username and password from the device, the bug could also be used for more elaborate schemes. An attacker could redirect traffic to a server under their control, or even inject malicious content into traffic to target other users or organizations. “A sufficiently savvy actor would be able to do that,” says Joe Slowik, a security analyst at industrial control system security firm Dragos. “This gets really scary, really quickly.”

Who’s Affected?

The good news for defenders is that only a small minority of F5 BIG-IP devices—those that have their web-based management interface exposed to the internet—are directly exploitable. According to Positive Technologies, that still includes 8,000 devices worldwide, a number roughly confirmed by other researchers using the internet search tool Shodan. About 40 percent of those are in the US, along with 16 percent in China and single-digit percentages in other countries around the globe.

Owners of those devices have had since June 30, when F5 first revealed the bug along with its patch, to update. But many may not have immediately realized the seriousness of the vulnerability. Others may have been hesitant to take their load balancing equipment offline to implement an untested patch, points out Gennuso, for fear that critical services might go down, which would further delay a fix.

Given the relative simplicity of the F5 attack technique, any organization that owns one of those 8,000 BIG-IP devices and didn't move quickly to patch it may already be compromised. Security firm NCC Group warned in a blog post over the weekend that it saw on Sunday a spike in exploitation attempts on its "honeypots"—bait devices designed to impersonate vulnerable machines to help researchers study attackers. The firm saw even more attempts Monday morning.

That means many firms now need not only to update their BIG-IP equipment, but also test it for exploitation and hunt around their networks for signs that it may have already been used as an entry point for intruders. "For something this serious and trivially easy to exploit," says Dragos' Slowik, "a lot of organization are going to come in after this weekend and be not in patching mode but in incident response mode."


More Great WIRED Stories