The fallout from a deeply critical (CVSS 10) security flaw in F5 Networks’ BIG-IP tool continues, after security firm CRITICALSTART revealed that mitigation could be bypassed and an NCC Group honeypot showed the bypass being exploited in the wild.
UK-based security firm NCC Group has been tracking the incident closely and says that approximately 6,000 internet exposed F5 devices are now potentially vulnerable again.
F5 Networks Mitigation Bypass: New Version Below
F5 Networks has updated its guidance, saying:
“The earlier version of the mitigation, which used <LocationMatch “.*\.\.;.*”> was determined to be incomplete and susceptible to bypass. If you implemented the earlier mitigation you should replace it with the updated version using <LocationMatch “;”>.”
Reports of the bypass first came at 18:24 on July 7, 2020, NCC’s security researchers noted, adding: “Our data shows this bypass was first publicly exploited at 12:39 on July 7, 2020 (6 hours before).”
Exploitation using the popular Metasploit toolkit has also been observed in the wild since Sunday (July 6), with NCC observing web shells the same day that appear to be a “reused web shell from Citrix”.
On CVE-2020-5902 (K52145254) early data available to us is showing of ~10,000 Internet exposed F5 devices that ~6,000 were made potentially vulnerable again due to the bypass disclosed yesterday evening – https://t.co/sSr4JIZwu3
A BIG-IP breach lets an attacker acquire credentials, license keys, pivot to internal networks and intercept/modify traffic. A reported 48 of the Fortune 50 being F5 customers.
Early honeypots showed rapid exploitation of the bug, with attackers uploading cryptominers. More dangerous malware is likely to follow, or already be in exposed networks.
Remediation is essential, as is patching.
The depth of the vulnerability has raised awkward questions for F5 about product security, but with the somewhat all-powerful exploit fitting in a tweet, several security professionals have queried whether the firms’ QA processes were robust enough.
I’m kind of curious what the cybersecurity culture (specifically product security culture up to executive levels) is like at F5. Everyone has an occasional critical vuln, but this one was… wild. How did it squeak past? Could they have had a more effective bounty program?
F5 Networks notes in its updated guidance: “You can block all access to the Configuration utility of your BIG-IP system using self IPs.
“To do so, you can change the Port Lockdown setting to Allow None for each self IP in the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to the Configuration utility. By default, the Configuration utility listens on TCP port 443; however, beginning in BIG-IP 13.0.0, Single-NIC BIG-IP VE deployments use TCP port 8443. Alternatively, you can configure a custom port.”
The company adds in a short warning: “Note: Performing this action prevents all access to the Configuration utility using the self IP. These changes may also impact other services, including breaking HA configurations.”