Login

Register

Login

Register

BIG-IP: Critical flaw in F5 app delivery controller leaves 8,000 devices at risk | #exploits | #cybersecurity | #informationsecurity


Customers urged to update after RCE and XSS vulnerabilities unearthed

F5 has patched a critical remote-code execution (RCE) vulnerability in its BIG-IP application delivery controller (ADC) that puts many of the world’s biggest companies at risk.

The application services giant has also fixed an authenticated vulnerability that could lead to cross-site scripting (XSS) attacks.

Attackers who exploit the pre-authorization RCE flaw “can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network”, said Mikhail Klyuchnikov, a security researcher at Positive Technologies who discovered the flaw, in a post published yesterday (July 2).

Shodan peril

To exploit the RCE flaw, which was found in the ADC’s configuration interface, an attacker with access to the BIG-IP configuration utility “needs to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration”, according to the article.

Klyuchnikov said RCE can result “from security flaws in multiple components, such as one that allows directory traversal exploitation. This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan.

“Fortunately,” he added, “most companies using the product do not enable access to the interface from the internet.”

The high severity XSS bug – also found in the BIG-IP configuration interface – allows attackers to run malicious JavaScript code, but only if they have administrator privileges and access to Advanced Shell (bash).

More than 8,000 devices are vulnerable globally, revealed threat intelligence monitoring conducted by UK-based Positive Technologies.

Some 40% of those devices are based in the US, 16% are in China, 3% in Taiwan, and 2.5% in Canada and Indonesia.

Mediating communication between servers and their clients, ADCs boost the performance of web applications using techniques such as load balancing, caching, compression, and offloading SSL processing.

Updates and mitigations

Affected companies – those running versions 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, or 15.1.x – are urged to update to the corresponding, patched versions of BIG-IP: 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4.

Users of public cloud marketplaces such as AWS, Azure, GCP, and Alibaba are advised to switch to BIG-IP Virtual Edition (VE) versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, or 15.1.0.4, if available.

Organizations unable to update immediately can mitigate the RCE flaw by adding a configuration element to httpd, and blocking access to the TMUI of their BIG-IP system via Self IPs.

An F5 security advisory provides details on how to perform these actions.

Restricting management access to F5 products over a secure network can help mitigate both flaws.

Users can further protect against the XSS vulnerability by limiting shell access to trusted users, with further instructions included in a separate advisory.

“In addition to the advisory,” F5 is notifying “customers directly through email”, a spokesperson for F5 told The Daily Swig.

F5, which is headquartered in Seattle, has 85 offices in 43 countries and says its application security services are used by 48 of the Fortune 50 companies.

The Daily Swig has contacted Positive Technologies for further comment and will update this article accordingly.

RELATED Red alert: Palo Alto firewall authentication bypass flaw ripe for exploitation

_________________________________________________________________________________________

Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.





Source link
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


NATIONAL CYBER SECURITY RADIO
HACKER FOR HIRE MURDERS
 

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW