Hackers are exploiting a 5 alarm error on network equipment


Any company that Uses a certain network team from Seattle-based F5 Networks had a rude disruption to its July 4 weekend, as a critical vulnerability turned the party into a race to implement a solution. Those who have not done so now may have a much bigger problem on their hands.

Late last week, government agencies, including the United States Computer Emergency Preparedness Team and Cyber ​​Command, sounded the alarm about a particularly nasty vulnerability in a line of BIG-IP products sold by F5. The agencies recommended that security professionals immediately implement a patch to protect devices from hacking techniques that could take full control of network equipment, offering access to all traffic they touch and a foothold for further exploitation. deep of any corporate network that uses them. Now, some security companies say they are already seeing the F5 vulnerability exploit in the wild, warning that any organization that didn’t patch their F5 gear over the weekend is already too late.

“This is the pre-exploitation window to shut the door right in front of your eyes,” wrote Chris Krebs, head of the Infrastructure and Cybersecurity Security Agency, in a tweet on Sunday afternoon. “If you didn’t patch this morning, assume you’re engaged.”

The trick

The F5 vulnerability, first discovered and disclosed to F5 by Russian cybersecurity firm Positive Technologies, affects a number of devices called BIG-IP that act as load balancers within large enterprise networks, distributing traffic to different servers that are They host applications or websites. Positive Technologies found a so-called directory traversal error in the web-based management interface for those BIG-IP devices, allowing anyone who can connect to them to access information they are not intended for. That vulnerability was exacerbated by another bug that allows an attacker to run a “shell” on devices that essentially allows a hacker to execute whatever code they choose.

The result is that anyone who can find an unpatched BIG-IP device exposed to the Internet can intercept and mess with the traffic it touches. Hackers could, for example, intercept and redirect transactions made through a bank’s website, or steal users’ credentials. They could also use the hacked device as a jump point to try to compromise other devices on the network. Since BIG-IP devices have the ability to decrypt traffic linked to web servers, an attacker could even use the bug to steal the encryption keys that ensure the security of an organization’s HTTPS traffic with users, warns Kevin Gennuso , a cybersecurity professional for a major American retailer. “It is very, very powerful,” says Gennuso, who declined to name his employer but said he had spent much of the weekend on vacation working to fix the security vulnerabilities in his F5 devices. “This is probably one of the most shocking vulnerabilities I have seen in my more than 20 years of information security, due to its depth and breadth and the number of companies using these devices.”

When asked for comment, F5 directed WIRED to a security advisory that the company posted on June 30. “This vulnerability can result in total system compromise,” the page reads, before continuing to detail how companies can mitigate it.

How serious is this?

The F5 bug is particularly concerning because it is relatively easy to exploit and also offers a large menu of options for hackers. Security researchers have pointed out that the URL that triggers the vulnerability can fit in a tweet: A researcher from the South Korean Computer Emergency Response Team released two versions in a single tweet along with a demo video. Since the attack targets the web interface of a vulnerable device, it can be carried out in its simplest form by simply tricking someone into visiting a carefully crafted URL.

.