Firms urged to scan networks for major BIG-IP load balancer flaw

Compromised devices are difficult to detect and can act as a springboard for further attacks

Networks connected with each other across the world

Organisations are being urged to scan their networks for signs of compromise after the discovery of a coding flaw in F5 Networks' BIG-IP load balancer that could allow an attacker to intercept and steal sensitive data.

The flaw in the load balancer, used by many large organisations like banks and government agencies to streamline the flow of web traffic, involves injecting a staging payload into F5's iRules engine.

Advertisement - Article continues below

This is very difficult to detect, but hackers can, in some cases, execute the attack by simply submitting a command or piece of code as part of a web request the technology will then execute. 

From there, attackers can then take full control over the BIG-IP instance by connecting to local management services or scanning the victim organisation's internal networks

More than 300,000 active BIG-IP implementations were discovered on the internet, according to cyber security company F-Secure, but the true number is likely to be much higher.

"This vulnerability is easy to exploit but very hard to detect," said senior security consultant with F-Secure, Christoffer Jerkeby, who discovered the flaw.

"It is likely that there are hackers out there today who exploit this vulnerability, but the victims never know. Successful attacks reside in memory only, and incoming requests are not logged by default."

Advertisement
Advertisement - Article continues below

Indeed, in many cases, there is no evidence an attack may have taken place because compromised devices do not record actions. In other cases, an attacker could delete logs that detail their activities after breaching an organisation's network.

Advertisement - Article continues below

Jerkeby told IT Pro that big businesses should use free, open-source tools that are available only to find out whether they are affected by the flaw, or even actively targeted.

SIEM logging with alarms, meanwhile, should be set up on syntax error events that could occur if an attacker tests an injection manually, and fails to produce a correct injection.

The implications of not addressing the flaw are severe, and could lead to an attacker intercepting and manipulating web traffic to harvest sensitive information and authentication credentials, as well as application secrets. An attacker may also use the breach as an opportunity to target and attack the users of any organisation's web services.

Although not all BIG-IP users are affected, the popularity among financial institutions and public sector organisations, combined with the obscurity of the underlying issue, means organisations should immediately investigate and assess their exposure.

"Unless an organization has done an in-depth investigation of this technology, there's a strong chance they've got this problem," Jerkeby continued.

Advertisement - Article continues below

"Even someone incredibly knowledgeable about security that works at a well-resourced company can make this mistake. So, spreading awareness about the issue is really important if we want to help organizations better protect themselves from a potential breach scenario."

An F5 Networks spokesperson told IT Pro the issue isn't a vulnerability in BIG-IP, nor in Tcl, but rather the result of not following secure coding practices.

"As with most programming or scripting languages, it is possible to write code in a way that creates vulnerabilities.

"We have been working with the researcher on documentation and notification to ensure customers can evaluate their exposure and take necessary steps to mitigate.

"The best practice for Tcl scripting is to escape all expressions, ensuring they are not substituted or evaluated unexpectedly. Customers are advised to evaluate Tcl scripts and make all changes they deem appropriate under this guidance."

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement
Advertisement

Recommended

Visit/security/cyber-security/355267/zoom-hires-ex-facebook-cso-to-boost-platform-security
cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020
Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/security/cyber-security/355271/microsoft-gobbles-up-corpcom-domain-to-keep-it-from-hackers
cyber security

Microsoft gobbles up corp.com domain to keep it from hackers

8 Apr 2020
Visit/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched
servers

A critical flaw in 350,000 Microsoft Exchange remains unpatched

7 Apr 2020