Attacks and Vulnerabilities
CISA
Malware, Phishing & Ransomware
News
Patch Management
Risk & Compliance
Technology & Solutions
Threat Landscape
Vulnerabilities

Hackers exploiting F5 BIG-IP devices using iControl REST authentication bypass vulnerability, advisory warns

May 19, 2022
Hackers exploiting F5 BIG-IP devices using iControl REST authentication bypass vulnerability, advisory warns

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) warned on Wednesday of F5 BIG-IP devices being actively exploited by hackers. The devices have been identified with a critical iControl REST authentication bypass vulnerability. It also revealed that an unauthenticated hacker with network access to the BIG-IP system through the management port or self IP addresses could exploit the vulnerability to execute arbitrary system commands, create or delete files, or disable services.

The advisory provides technical details of the threat and recommended actions for organizations that did not immediately patch this vulnerability to take to detect possible exploitation or compromise. It further called upon organizations to upgrade F5 BIG-IP software to fixed versions, while those enterprises using versions 12.1.x and 11.6.x should upgrade to supported versions. 

The authentication bypass vulnerability has been identified in certain versions of F5 BIG-IP devices, including 16.1.x versions such as those prior to 16.1.2.2; 15.1.x versions prior to 15.1.5.1; 14.1.x versions prior to 14.1.4.6; 13.1.x versions prior to 13.1.5; and all 12.1.x and 11.6.x versions. BIG-IP is F5’s line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing in to and out of networks.

The advisory acknowledged that F5 had released a patch for the vulnerability on May 4, with proof-of-concept (POC) exploits that have since been publicly released, enabling less sophisticated hackers to exploit the vulnerability. “Due to previous exploitation of F5 BIG-IP vulnerabilities, CISA and MS-ISAC assess unpatched F5 BIG-IP devices are an attractive target; organizations that have not applied the patch are vulnerable to actors taking control of their systems,” it added. 

The CISA and MS-ISAC advisory referenced a 2020 alert issued by the CISA in response to disclosed exploits at the time that target F5 BIG-IP devices that are vulnerable to an RCE (remote code execution) vulnerability in the BIG-IP Traffic Management User Interface (TMUI). Affected organizations that have not applied the patch to fix the critical RCE vulnerability risk an attacker exploiting CVE-2020-5902 to take control of their system. 

CISA and MS-ISAC have asked users and administrators to remain aware of the ramifications of exploitation and use the recommendations in this advisory, including upgrading their software to fixed versions, to help secure their organization’s systems against malicious cyber operations. “Additionally, CISA and MS-ISAC strongly encourage administrators to deploy the signatures included in this CSA to help determine whether their systems have been compromised,” it added. 

The CISA and MS-ISAC advisory also encouraged organizations who did not patch immediately or whose F5 BIG-IP device management interface has been exposed to the internet to assume compromise and hunt for malicious activity using the detection signatures in the advisory. Also, in case, a potential compromise is detected, organizations should apply the incident response recommendations included in the guidance. The advisory also comes with Snort and Suricate signatures to detect compromised systems.

“The threat stems from a faulty authentication implementation of the iControl REST, a set of web-based programming interfaces for configuring and managing BIG-IP devices,” Cisco Talos researchers wrote in a blog post last week. “This vulnerability aims to target the iControl REST service with a path under “/mgmt” and relies on the specification of the X-F5-Auth-Token in the HTTP Connection header. The vulnerability was assigned a CVSSv3 score of 9.8 out of 10,” it added.

Over the last several days, PoC exploit code has been circulating on Twitter and GitHub, underscoring the variety of ways the vulnerability can be exploited, the Cisco researchers added. 

Providing incident response advice in case of system compromise, the CISA and MS-ISAC advisory recommended that organizations quarantine or take offline potentially affected hosts, reimage compromised hosts, and provision new account credentials. The guidance also suggested limiting access to the management interface to the fullest extent possible, while also collecting and reviewing artifacts, such as running processes/services, unusual authentications, and recent network connections. It also supported that the organizations report such compromises to the CISA. 

CISA and MS-ISAC recommend organizations upgrade F5 BIG-IP software to fixed versions, while organizations using versions 12.1.x and 11.6.x should upgrade to supported versions. If unable to immediately patch, organizations must implement F5’s temporary workarounds, including blocking iControl REST access through the self IP address, blocking iControl REST access through the management interface, and modifying the BIG-IP ‘httpd’ configuration.

CISA and MS-ISAC also recommend organizations apply various best practices to reduce the risk of compromise, including maintaining and testing an incident response plan. It also suggested ensuring that the organization has a vulnerability program in place that prioritizes patch management and vulnerability scanning. It also supported properly configuring and securing internet-facing network devices and adopting zero-trust principles and architecture.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights