View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 8, 2020updated 09 Jul 2020 7:32am

6,000 F5 Networks Customers Still Potentially Vulnerable, After Mitigation Bypass: Patch Now Updated

Updated mitigation available now

By CBR Staff Writer

The fallout from a deeply critical (CVSS 10) security flaw in F5 Networks’ BIG-IP tool  continues, after security firm CRITICALSTART revealed that mitigation could be bypassed and an NCC Group honeypot showed the bypass being exploited in the wild.

UK-based security firm NCC Group has been tracking the incident closely and says that approximately 6,000 internet exposed F5 devices are now potentially vulnerable again.

F5 Networks Mitigation Bypass: New Version Below

F5 Networks has updated its guidance, saying:

The earlier version of the mitigation, which used <LocationMatch “.*\.\.;.*”> was determined to be incomplete and susceptible to bypass. If you implemented the earlier mitigation you should replace it with the updated version using <LocationMatch “;”>.”

Reports of the bypass first came at 18:24 on July 7, 2020, NCC’s security researchers noted, adding: “Our data shows this bypass was first publicly exploited at 12:39 on July 7, 2020 (6 hours before).”

Exploitation using the popular Metasploit toolkit has also been observed in the wild since Sunday (July 6), with NCC observing web shells the same day that appear to be a “reused web shell from Citrix”.

A BIG-IP breach lets an attacker acquire credentials, license keys, pivot to internal networks and intercept/modify traffic. A reported 48 of the Fortune 50 being F5 customers.

Early honeypots showed rapid exploitation of the bug, with attackers uploading cryptominers. More dangerous malware is likely to follow, or already be in exposed networks.

Remediation is essential, as is patching.

The depth of the vulnerability has raised awkward questions for F5 about product security, but with the somewhat all-powerful exploit fitting in a tweet, several security professionals have queried whether the firms’ QA processes were robust enough.

F5 Networks has apologised and issued a fresh security advisory. It recommends that users restrict all access to the management interface and Self-IPs and, if possible, deny all public access.

F5 Networks notes in its updated guidance: “You can block all access to the Configuration utility of your BIG-IP system using self IPs.

“To do so, you can change the Port Lockdown setting to Allow None for each self IP in the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to the Configuration utility. By default, the Configuration utility listens on TCP port 443; however, beginning in BIG-IP 13.0.0, Single-NIC BIG-IP VE deployments use TCP port 8443. Alternatively, you can configure a custom port.”

The company adds in a short warning: “Note: Performing this action prevents all access to the Configuration utility using the self IP. These changes may also impact other services, including breaking HA configurations.”


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.