Sign up for our newsletter - Navigating the horizon of business technology​
Technology / Cybersecurity

6,000 F5 Networks Customers Still Potentially Vulnerable, After Mitigation Bypass: Patch Now Updated

The fallout from a deeply critical (CVSS 10) security flaw in F5 Networks’ BIG-IP tool  continues, after security firm CRITICALSTART revealed that mitigation could be bypassed and an NCC Group honeypot showed the bypass being exploited in the wild.

UK-based security firm NCC Group has been tracking the incident closely and says that approximately 6,000 internet exposed F5 devices are now potentially vulnerable again.

F5 Networks Mitigation Bypass: New Version Below

F5 Networks has updated its guidance, saying:

The earlier version of the mitigation, which used <LocationMatch “.*\.\.;.*”> was determined to be incomplete and susceptible to bypass. If you implemented the earlier mitigation you should replace it with the updated version using <LocationMatch “;”>.”

White papers from our partners

Reports of the bypass first came at 18:24 on July 7, 2020, NCC’s security researchers noted, adding: “Our data shows this bypass was first publicly exploited at 12:39 on July 7, 2020 (6 hours before).”

Exploitation using the popular Metasploit toolkit has also been observed in the wild since Sunday (July 6), with NCC observing web shells the same day that appear to be a “reused web shell from Citrix”.

A BIG-IP breach lets an attacker acquire credentials, license keys, pivot to internal networks and intercept/modify traffic. A reported 48 of the Fortune 50 being F5 customers.

Early honeypots showed rapid exploitation of the bug, with attackers uploading cryptominers. More dangerous malware is likely to follow, or already be in exposed networks.

Remediation is essential, as is patching.

The depth of the vulnerability has raised awkward questions for F5 about product security, but with the somewhat all-powerful exploit fitting in a tweet, several security professionals have queried whether the firms’ QA processes were robust enough.

F5 Networks has apologised and issued a fresh security advisory. It recommends that users restrict all access to the management interface and Self-IPs and, if possible, deny all public access.

F5 Networks notes in its updated guidance: “You can block all access to the Configuration utility of your BIG-IP system using self IPs.

“To do so, you can change the Port Lockdown setting to Allow None for each self IP in the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to the Configuration utility. By default, the Configuration utility listens on TCP port 443; however, beginning in BIG-IP 13.0.0, Single-NIC BIG-IP VE deployments use TCP port 8443. Alternatively, you can configure a custom port.”

The company adds in a short warning: “Note: Performing this action prevents all access to the Configuration utility using the self IP. These changes may also impact other services, including breaking HA configurations.”

 
This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.