Finnish security company F-Secure says banks and other financial services institutions are uniquely vulnerable to a configuration weakness that can be found in the BIG-IP load balancers of Seattle-based F5 Networks. These are widely used in the sector to distribute network or application traffic across a number of servers.
The vulnerability relates to a weakness in the design of the programming language Tcl (pronounced “tickle”) used in F5 Network’s Big-IP iRules: a feature of the company’s load balancing platform that “provides you with unprecedented control to directly manipulate and manage any IP application traffic” as F5 Networks puts it.
The issue is particularly dangerous for a number of reasons: firstly it does not lend itself to deterministic nor heuristic detection; secondly because of the very nature of the load balancing devices, an attacker could delete logs that contain evidence of post-exploit activities – severely hindering any incident investigations.
What’s the Issue with the F5 Networks Devices Exactly?
It’s not strictly a device issue. Certain coding practices when configuring BIG-IP iRules let an attacker turn the compromised BIG-IP device into a “beachhead to launch further attacks… They could also intercept and manipulate web traffic” F-Secure said.
The vulnerability is the result of a design issue in the Tcl language that allows for substitutions in statements and commands; the feature of Tcl can allow injection attacks similar to those seen in SQL or shell scripting languages, where arbitrary user input is interpreted as code and executed.
F5 Networks says the best practice for Tcl scripting is to enclose all expressions, ensuring that they are not substituted or evaluated unexpectedly. (“An additional benefit of this practice is increased performance, as the expressions can be precompiled instead of re-evaluated dynamically at runtime”.)
F-Secure, meanwhile, has open-sourced two tools to help identify such issues.
TestTcl is a library for unit testing Big-IP iRules, and Tclscan: is a tool that lexically scans Tcl code for command injection flaws. (F5 Networks says it has already included detection for some of the common cases where double substitution may happen in iRules, and the BIG-IP system now “attempts to notify the administrator through system log files or at the command line when the configuration is saved, loaded, or validated.”)
F-Secure Senior Security Consultant Christoffer Jerkeby said: “In some cases, exploiting a vulnerable system can be as simple as submitting a command or piece of code as part of a web request, that the technology will execute for the attacker.”
He added: “Unless you know what to look for, it’s tough to foresee this problem occurring, and even harder to deal with in an actual attack.”