View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 12, 2019

F-Secure Warns Banks Over “Tickle” Vuln: Here’s Two Free Tools to Help

"Expressions in Tcl should always be braced..."

By CBR Staff Writer

Finnish security company F-Secure says banks and other financial services institutions are uniquely vulnerable to a configuration weakness that can be found in the BIG-IP load balancers of Seattle-based F5 Networks. These are widely used in the sector to distribute network or application traffic across a number of servers.

The vulnerability relates to a weakness in the design of the programming language Tcl (pronounced “tickle”) used in F5 Network’s Big-IP iRules: a feature of the company’s load balancing platform that “provides you with unprecedented control to directly manipulate and manage any IP application traffic” as F5 Networks puts it.

The issue is particularly dangerous for a number of reasons: firstly it does not lend itself to deterministic nor heuristic detection; secondly because of the very nature of the load balancing devices, an attacker could delete logs that contain evidence of post-exploit activities – severely hindering any incident investigations.

What’s the Issue with the F5 Networks Devices Exactly?

It’s not strictly a device issue. Certain coding practices when configuring BIG-IP iRules let an attacker turn the compromised BIG-IP device into a “beachhead to launch further attacks… They could also intercept and manipulate web traffic” F-Secure said.

The vulnerability is the result of a design issue in the Tcl language that allows for substitutions in statements and commands; the feature of Tcl can allow injection attacks similar to those seen in SQL or shell scripting languages, where arbitrary user input is interpreted as code and executed.

F5 Networks says the best practice for Tcl scripting is to enclose all expressions, ensuring that they are not substituted or evaluated unexpectedly. (“An additional benefit of this practice is increased performance, as the expressions can be precompiled instead of re-evaluated dynamically at runtime”.)

F-Secure, meanwhile, has open-sourced two tools to help identify such issues.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

TestTcl is a library for unit testing Big-IP iRules, and Tclscan: is a tool that lexically scans Tcl code for command injection flaws. (F5 Networks says it has already included detection for some of the common cases where double substitution may happen in iRules, and the BIG-IP system now “attempts to notify the administrator through system log files or at the command line when the configuration is saved, loaded, or validated.”)

F-Secure Senior Security Consultant Christoffer Jerkeby said: “In some cases, exploiting a vulnerable system can be as simple as submitting a command or piece of code as part of a web request, that the technology will execute for the attacker.”

He added: “Unless you know what to look for, it’s tough to foresee this problem occurring, and even harder to deal with in an actual attack.”

Read this: Why NGINX’s $670 Million Acquisition Matters


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.