The F5 Big-IP Hack Explained
- March 21, 2021
- Posted by: Muhammad Afaq Khan, CCIE #9070
- Category: Cybersecurity
Another week, and another hack. If the SolarWinds and Microsoft Exchange hacks were not enough, F5 to the rescue. With a high-severity vulnerability, a patch-ASAP-grade, you can bet attackers reacted like sharks that smell blood in the water. Just for some historical context, a similarly critical remote code execution or RCE vulnerability in BIG-IP appliances was also heavily exploited back in July 2020.
What is F5 BIG-IP Appliance
So, in this article, I want to discuss what happened, who did it, why it matters, and what it means for You. Now, if you didn’t know, F5 is the 400-pound gorilla in the Application Delivery Controller or ADC $3.5B market. BIG-IP is a family of products that provide application security, traffic management, and application performance solutions. It is available in virtual, physical and cloud-hosted form factors. Architecturally speaking, the BIG-IP solution consists of three big components and those are Local Traffic Manager or LTM, BIG-IP DNS, and the BIG-IQ management platform.
BIG-IP Hack Timeline of Events
So, here is what happened. On March 10th, F5 disclosed and patched a total of 21 BIG-IP vulnerabilities and one of them had to do with the BIG-IP REST API interface where an attacker could open an unauthenticated remote command execution, take over the appliance much like an admin, modify the configuration, disable various services and eventually use it as a springboard to get deeper into the network behind the appliance. F5 patched and released code with the fixes and that’s when hackers reverse-engineered the Java code and started exploiting the vulnerabilities in the wild with any BIG-IP appliances they could find.
A week later, on March 19th, after F5 published the list of CVEs, several researchers posted proof-of-concept code after reverse-engineering the Java software patch in BIG-IP. The cybersecurity firm NCC Group said that it found successful exploitation of these vulnerabilities in BIG-IP and BIG-IQ platforms. What that means is that the full exploit-chain had been reproduced and that means public exploits were already underway.
Anyhow, the exploitation of this vulnerability requires two steps. First, authentication has to be bypassed by leveraging the Server-Side Request Forgery or SSRF vulnerability to gain an authenticated session token. And secondly, this authenticated session can then be used to interact with REST API endpoints, which would otherwise require authentication. The most useful endpoint for an attacker is the tm/util/bash endpoint, which allows an authenticated user to execute commands on the underlying server with root privileges. However, as the REST API is designed for remote administration, there are many endpoints which an attacker might wish to take advantage of.
Exploiting this vulnerability comes with two preconditions. Number one. You must have access to the BIG-IP management interface IP address. The management interface is known as Traffic Management User Interface or TMUI what that means is that BIG-IP’s data plane is not vulnerable as the attack is only applicable to the control or management plane. Number two. You must be running an unpatched firmware.
Why F5 BIG-IP Hack is a Big Deal
Anyhow, you may be wondering, why it matters and why is this hack a big deal. There are two big reasons. Number one. F5 provides enterprise networking to some of the largest tech companies in the world, we’re talking about Facebook, Microsoft, Oracle, as well as a trove of Fortune 500 companies, including some of the world’s biggest financial institutions and ISPs.
Number two. The BIG-IP is a very juicy target because it can handle highly sensitive data. An attacker with full control over a load balancing appliance can also take control over the web applications served through it. So, what does it mean for you?
Number one. Hacks are ramping up and we’re living in a new normal. Within three months, we had SolarWinds, the biggest and most sophisticated supply chain attack to ever occur. We had a Microsoft Exchange hack, where more than a quarter of a million exchange servers were impacted. And now, F5 BIG-IP.
Number two. It is super critical to apply software patches immediately after they are released by the vendor. If you can’t apply the patches, you need to remove the public access and put the service behind a VPN.
Number three. A hack leaves clues. So, always pay attention to the Logs. If your install base is already compromised, then system logs is generally the best place to start when looking for clues. This was true with Microsoft Exchange and is true with the BIG-IP hack. In case of BIG-IP, the logs show successful exploitation when you see a successful authentication with an empty Auth Token.
THANK you for reading this article, I hope you found it helpful. I’d love to hear your thoughts.
Author:Muhammad Afaq Khan, CCIE #9070
0 (0) Today, we live in a world where there is nothing, and I mean nothing, off the limits for cyberattacks and particularly ransomware attacks. Our hospitals, our universities, oil pipelines, and now even our meat is under cyberattack. The cyberattack that flattened the IT operations at JBS Foods over the weekend turns out was […]
0 (0) Ransomware has been a growing menace for years, but there has been a marked increase, during the recent months, in sophistication and level of innovation in this portion of the cybercrime underbelly. If you didn’t know, cybercrime comes in many different types, such as email and internet fraud, identity theft, financial theft like […]
0 (0) It’s time to check your Pulse. I mean your Pulse Connect Secure VPN appliance. Hackers have been exploiting several previously known and one zero-day vulnerabilities affecting Pulse Connect Secure aka PCS VPN appliances. They are targeting defense, government, and financial organizations around the world. According to FireEye, several threat actors have been exploiting […]
5 (2) OK, we now have another supply chain attack that could become the next big hack. When April fools’ jokes were being published online, one company known as Codecov discovered something that was far from a joke. So, who is Codecov? Codecov is one of the many DevOps tools out there. It provides hosted […]
5 (2) So, what is Ethical Hacking? Well, it is hacking ethically. OK, that was not helpful. There are two types of hacking, white hat hacking, black hat hacking. They use similar tools and have similar goals, so then what is the difference. Well, there is one big difference and that has to do with […]
How useful was this post?