F5 has fixed more than a dozen high-severity security vulnerabilities in its networking device, with one of them being elevated to critical severity and CVSS score of 9.9 under specific conditions. All vulnerabilities are part of this month’s delivery of security updates, addressing almost 30 vulnerabilities for multiple F5 devices.
When this vulnerability is exploited, an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and disable services. This vulnerability may result in complete system compromise. The vulnerabilities affect multiple versions of BIG-IP and BIG-IQ devices, potentially allowing an attacker to perform a wide range of malicious actions.
Though 30 vulnerabilities may seem like a high number, says Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, “it is par for the course for any notable enterprise tech provider and is a relative drop in the bucket considering the tens of thousands of vulnerabilities disclosed every year.”
Security researchers and adversaries have targeted F5 Big IP due to the vulnerable, external nature of the product, says Jonathan Chua, Application Security Consultant at nVisium, a Falls Church, Virginia-based application security provider. Chua adds, “Several F5 application services can be hosted externally, allowing any internet user to attempt to connect to the service. Due to the ease of accessibility and the amount of publicly known vulnerabilities associated with F5 applications, the service becomes a prime target for adversaries to break into a company’s network via the external perimeter.”
An example of this, Chua explains, is the F5 Traffic Management User Interface (TMUI), which adversaries are actively exploiting. “This service is often available on a company’s external perimeter and contains a critical remote code execution vulnerability. As a result, if the service is exploited, such service may provide external attackers an initial foothold in a company’s internal network.”
Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, recommends users check the F5 advisories to check if their equipment is vulnerable. If attackers gain access to any affected devices, especially the web application firewall, they could wreak havoc across an estate. “With so many higher-level vulnerabilities listed, organizations must patch them as soon as possible or risk compromise to critical areas of the infrastructure. If it can’t be done, steps should be taken to mitigate the risk and at least deploy some of the best practice recommendations from F5, like allowing only trusted, authenticated users to access some of the applications.”
IT security teams struggle every day to understand their company’s risk posture and to prioritize the most critical vulnerabilities for remediation and mitigation, Bar-Dayan notes. “Risk management and vulnerability prioritization are essential to effective cyber hygiene and proactive defense of any enterprise network.”