Blog

CCIEin8Weeks > Blog > Cybersecurity > The F5 Big-IP Hack Explained

The F5 Big-IP Hack Explained

March 21, 2021
Posted by: Muhammad Afaq Khan, CCIE #9070
Category: Cybersecurity

Another week, and another hack. If the SolarWinds and Microsoft Exchange hacks were not enough, F5 to the rescue. With a high-severity vulnerability, a patch-ASAP-grade, you can bet attackers reacted like sharks that smell blood in the water. Just for some historical context, a similarly critical remote code execution or RCE vulnerability in BIG-IP appliances was also heavily exploited back in July 2020.

Table of Contents hide

1 What is F5 BIG-IP Appliance

2 BIG-IP Hack Timeline of Events

3 Exploit Breakdown

4 Exploit Preconditions

5 Why F5 BIG-IP Hack is a Big Deal

What is F5 BIG-IP Appliance

So, in this article, I want to discuss what happened, who did it, why it matters, and what it means for You. Now, if you didn’t know, F5 is the 400-pound gorilla in the Application Delivery Controller or ADC $3.5B market. BIG-IP is a family of products that provide application security, traffic management, and application performance solutions. It is available in virtual, physical and cloud-hosted form factors. Architecturally speaking, the BIG-IP solution consists of three big components and those are Local Traffic Manager or LTM, BIG-IP DNS, and the BIG-IQ management platform.

BIG-IP Hack Timeline of Events

So, here is what happened. On March 10th, F5 disclosed and patched a total of 21 BIG-IP vulnerabilities and one of them had to do with the BIG-IP REST API interface where an attacker could open an unauthenticated remote command execution, take over the appliance much like an admin, modify the configuration, disable various services and eventually use it as a springboard to get deeper into the network behind the appliance. F5 patched and released code with the fixes and that’s when hackers reverse-engineered the Java code and started exploiting the vulnerabilities in the wild with any BIG-IP appliances they could find.

A week later, on March 19th, after F5 published the list of CVEs, several researchers posted proof-of-concept code after reverse-engineering the Java software patch in BIG-IP. The cybersecurity firm NCC Group said that it found successful exploitation of these vulnerabilities in BIG-IP and BIG-IQ platforms. What that means is that the full exploit-chain had been reproduced and that means public exploits were already underway.

Exploit Breakdown

Anyhow, the exploitation of this vulnerability requires two steps. First, authentication has to be bypassed by leveraging the Server-Side Request Forgery or SSRF vulnerability to gain an authenticated session token. And secondly, this authenticated session can then be used to interact with REST API endpoints, which would otherwise require authentication. The most useful endpoint for an attacker is the tm/util/bash endpoint, which allows an authenticated user to execute commands on the underlying server with root privileges. However, as the REST API is designed for remote administration, there are many endpoints which an attacker might wish to take advantage of.

Exploit Preconditions

Exploiting this vulnerability comes with two preconditions. Number one. You must have access to the BIG-IP management interface IP address. The management interface is known as Traffic Management User Interface or TMUI what that means is that BIG-IP’s data plane is not vulnerable as the attack is only applicable to the control or management plane. Number two. You must be running an unpatched firmware.

Why F5 BIG-IP Hack is a Big Deal

Anyhow, you may be wondering, why it matters and why is this hack a big deal. There are two big reasons. Number one. F5 provides enterprise networking to some of the largest tech companies in the world, we’re talking about Facebook, Microsoft, Oracle, as well as a trove of Fortune 500 companies, including some of the world’s biggest financial institutions and ISPs.

Number two. The BIG-IP is a very juicy target because it can handle highly sensitive data. An attacker with full control over a load balancing appliance can also take control over the web applications served through it. So, what does it mean for you?

Number one. Hacks are ramping up and we’re living in a new normal. Within three months, we had SolarWinds, the biggest and most sophisticated supply chain attack to ever occur. We had a Microsoft Exchange hack, where more than a quarter of a million exchange servers were impacted. And now, F5 BIG-IP.

Number two. It is super critical to apply software patches immediately after they are released by the vendor. If you can’t apply the patches, you need to remove the public access and put the service behind a VPN.

Number three. A hack leaves clues. So, always pay attention to the Logs. If your install base is already compromised, then system logs is generally the best place to start when looking for clues. This was true with Microsoft Exchange and is true with the BIG-IP hack. In case of BIG-IP, the logs show successful exploitation when you see a successful authentication with an empty Auth Token.

THANK you for reading this article, I hope you found it helpful. I’d love to hear your thoughts.

Author:Muhammad Afaq Khan, CCIE #9070

Muhammad Afaq Khan started his professional career at Cisco TAC San Jose and passed his first CCIE in 2002. He held multiple technical and management positions at Cisco HQ over his 11 years tenure at the company before moving into cloud software and data center infrastructure IT markets. He has worked at startups as well as Fortune 100 companies in senior leadership positions over his career. He is also a published author (Cisco Press, 2009) and holds multiple patents in the areas of networking, security and virtualization. Currently, he is a founder at Full Stack Networker and a vocal advocate for network automation technologies and NetDevOps. You can check his accomplishments at https://bit.ly/3qZsCLm

best-selling-cisco-study-guides_cciein8weeks

The Future of Ransomware: JBS Ransomware 2021 Explained

0 (0) Today, we live in a world where there is nothing, and I mean nothing, off the limits for cyberattacks and particularly ransomware attacks. Our hospitals, our universities, oil pipelines, and now even our meat is under cyberattack. The cyberattack that flattened the IT operations at JBS Foods over the weekend turns out was […]

Axis of REvil - The shifting landscape of ransomware

The Shifting Landscape of Ransomware Attacks

0 (0) Ransomware has been a growing menace for years, but there has been a marked increase, during the recent months, in sophistication and level of innovation in this portion of the cybercrime underbelly. If you didn’t know, cybercrime comes in many different types, such as email and internet fraud, identity theft, financial theft like […]

Pulse Secure Connect PCS VPN Hack Explained

0 (0) It’s time to check your Pulse. I mean your Pulse Connect Secure VPN appliance. Hackers have been exploiting several previously known and one zero-day vulnerabilities affecting Pulse Connect Secure aka PCS VPN appliances. They are targeting defense, government, and financial organizations around the world. According to FireEye, several threat actors have been exploiting […]

Codecov Supply Chain Attack Explained

5 (2) OK, we now have another supply chain attack that could become the next big hack. When April fools’ jokes were being published online, one company known as Codecov discovered something that was far from a joke. So, who is Codecov? Codecov is one of the many DevOps tools out there. It provides hosted […]

Ethical Hacking Explained | The Scope, Goals, and How You Can Become One

5 (2) So, what is Ethical Hacking? Well, it is hacking ethically. OK, that was not helpful. There are two types of hacking, white hat hacking, black hat hacking. They use similar tools and have similar goals, so then what is the difference. Well, there is one big difference and that has to do with […]

{ "@context": "http://schema.org", "@type": "Course", "aggregateRating": { "@type": "AggregateRating", "bestRating": "5", "ratingCount": "1", "ratingValue": "5" }, "image": "https://www.cciein8weeks.com/wp-content/uploads/2021/03/f5-big-ip-hack.png", "name": "The F5 Big-IP Hack Explained", "description": "The F5 Big-IP Hack Explained"}

Login/Sign Up

Search

Menu