The F5 Big-IP Hack Explained
- March 21, 2021
- Posted by: Muhammad Afaq Khan, CCIE #9070
- Category: Cybersecurity
Another week, and another hack. If the SolarWinds and Microsoft Exchange hacks were not enough, F5 to the rescue. With a high-severity vulnerability, a patch-ASAP-grade, you can bet attackers reacted like sharks that smell blood in the water. Just for some historical context, a similarly critical remote code execution or RCE vulnerability in BIG-IP appliances was also heavily exploited back in July 2020.
What is F5 BIG-IP Appliance
So, in this article, I want to discuss what happened, who did it, why it matters, and what it means for You. Now, if you didn’t know, F5 is the 400-pound gorilla in the Application Delivery Controller or ADC $3.5B market. BIG-IP is a family of products that provide application security, traffic management, and application performance solutions. It is available in virtual, physical and cloud-hosted form factors. Architecturally speaking, the BIG-IP solution consists of three big components and those are Local Traffic Manager or LTM, BIG-IP DNS, and the BIG-IQ management platform.
BIG-IP Hack Timeline of Events
So, here is what happened. On March 10th, F5 disclosed and patched a total of 21 BIG-IP vulnerabilities and one of them had to do with the BIG-IP REST API interface where an attacker could open an unauthenticated remote command execution, take over the appliance much like an admin, modify the configuration, disable various services and eventually use it as a springboard to get deeper into the network behind the appliance. F5 patched and released code with the fixes and that’s when hackers reverse-engineered the Java code and started exploiting the vulnerabilities in the wild with any BIG-IP appliances they could find.
A week later, on March 19th, after F5 published the list of CVEs, several researchers posted proof-of-concept code after reverse-engineering the Java software patch in BIG-IP. The cybersecurity firm NCC Group said that it found successful exploitation of these vulnerabilities in BIG-IP and BIG-IQ platforms. What that means is that the full exploit-chain had been reproduced and that means public exploits were already underway.
Anyhow, the exploitation of this vulnerability requires two steps. First, authentication has to be bypassed by leveraging the Server-Side Request Forgery or SSRF vulnerability to gain an authenticated session token. And secondly, this authenticated session can then be used to interact with REST API endpoints, which would otherwise require authentication. The most useful endpoint for an attacker is the tm/util/bash endpoint, which allows an authenticated user to execute commands on the underlying server with root privileges. However, as the REST API is designed for remote administration, there are many endpoints which an attacker might wish to take advantage of.
Exploiting this vulnerability comes with two preconditions. Number one. You must have access to the BIG-IP management interface IP address. The management interface is known as Traffic Management User Interface or TMUI what that means is that BIG-IP’s data plane is not vulnerable as the attack is only applicable to the control or management plane. Number two. You must be running an unpatched firmware.
Why F5 BIG-IP Hack is a Big Deal
Anyhow, you may be wondering, why it matters and why is this hack a big deal. There are two big reasons. Number one. F5 provides enterprise networking to some of the largest tech companies in the world, we’re talking about Facebook, Microsoft, Oracle, as well as a trove of Fortune 500 companies, including some of the world’s biggest financial institutions and ISPs.
Number two. The BIG-IP is a very juicy target because it can handle highly sensitive data. An attacker with full control over a load balancing appliance can also take control over the web applications served through it. So, what does it mean for you?
Number one. Hacks are ramping up and we’re living in a new normal. Within three months, we had SolarWinds, the biggest and most sophisticated supply chain attack to ever occur. We had a Microsoft Exchange hack, where more than a quarter of a million exchange servers were impacted. And now, F5 BIG-IP.
Number two. It is super critical to apply software patches immediately after they are released by the vendor. If you can’t apply the patches, you need to remove the public access and put the service behind a VPN.
Number three. A hack leaves clues. So, always pay attention to the Logs. If your install base is already compromised, then system logs is generally the best place to start when looking for clues. This was true with Microsoft Exchange and is true with the BIG-IP hack. In case of BIG-IP, the logs show successful exploitation when you see a successful authentication with an empty Auth Token.
THANK you for reading this article, I hope you found it helpful. I’d love to hear your thoughts.
Author:Muhammad Afaq Khan, CCIE #9070
5 (1) The United States is home to the world’s most iconic cybersecurity companies such as Palo Alto Networks, Fortinet, FireEye, CrowdStrike, McAfee, Tanium and I can go on and on but here is the point. Despite being at the cutting edge of cybersecurity technologies, US enterprises and the government get successfully targeted and hacked […]
5 (1) If you need more reasons to dive into a Cybersecurity career, here are a few pieces of information to consider. Gartner says that the cybersecurity spending is expected to reach $123 billion and continue to grow at about 10% each year for another 8 years. Just for context. At 10,000 feet, the cybersecurity […]
5 (1) The global Cybersecurity market is worth $202B today and is expected to reach a whopping $433B by 2030. The cyber security market consists of five major segments and those are network security and endpoint, threat detection and intelligence, identity access management or IAM, data and cloud security, encryption, and cryptography, and a few […]
5 (1) If you didn’t know, the SolarWinds hack was not one of, but the most sophisticated software supply chain attack to ever occur. SolarWinds hackers enjoyed unfettered access to thousands of SolarWinds customers worldwide for 9 months. They could have continued it for even longer if not for the unforced error on their part […]
5 (1) Another week, and another hack. If the SolarWinds and Microsoft Exchange hacks were not enough, F5 to the rescue. With a high-severity vulnerability, a patch-ASAP-grade, you can bet attackers reacted like sharks that smell blood in the water. Just for some historical context, a similarly critical remote code execution or RCE vulnerability in […]