CISA, USCYBERCOM warn of massive vulnerability for popular networking device

The U.S. government is warning of a particularly dangerous vulnerability affecting BIG-IP networking devices produced by F5 that likely impacts every major sector in the world, including federal agencies.

According to F5, the remote code execution vulnerability was first discovered by researcher Mikhail Klyuchnikov of Positive Technologies and exists in the traffic management user interface of its Big-IP networking devices. It allows unauthenticated attackers to carry out a number of RCE attacks, including creating or deleting files, disabling services and issuing other arbitrary system commands.

On July 3, U.S. Cyber Command advised organizations to “remediate immediately,” adding that patching the vulnerabilities “should not be postponed over the weekend.” The Cybersecurity and Infrastructure Security Agency put out an alert encouraging users to patch, and CISA Director Chris Krebs said his organization was already seeing reports of active scanning and possible exploitation of the vulnerability. Over the weekend, Krebs warned the “pre-exploit window to patch [is] slamming shut right in front of your eyes” and that organizations that hasn’t patched their devices by Sunday morning should “assume compromise.”

The networking devices are a popular choice to support many enterprise networks; researchers have found thousands of such devices connected to the internet through Shodan. A search of government contracting records finds a number of agencies that have either procured F5 BIG-IP devices or maintenance services for existing devices over the past five years, including the Departments of Commerce, Defense, State, multiple branches of the military, the FBI and a number of smaller agencies.

According to F5’s website, several of its BIG-IP products are also certified under the National Institute of Standards and Technology's USGv6 conformance program and the Department of Defense Information Network Approved Product List, while its traffic filtering firewall products are on the National Security Agency’s component list for its Commercial Solutions for Classified program.

FCW has reached out to CISA for more information on further remediation actions targeting federal networks or critical infrastructure.

The vulnerability was rated “critical” and given a 10/10, the highest possible severity score, by the Common Vulnerability Scoring System. A patch was quickly developed, but information security professionals say the attack is simple to carry out and organizations may have already missed their opportunity to avoid exploitation. 

Curtis Dukes, former head of the Information Assurance Directorate at NSA and executive vice president at the Center for Internet Security, told FCW that F5 BIG-IP devices are used by most large organizations, including major cloud service providers. Because it’s an RCE vulnerability, attacks can reach any device connected to the internet, regardless of where the attacker or device is located. A simple HTTP request can give attackers access to the server, where they can carry out credential theft, denial of service, file exfiltration or other attacks. He also highlighted cloud service providers and government entities that manage large datasets as particularly at-risk.

“Pretty much every industry sector uses the device and is likely susceptible -- if they are internet-facing -- to an attack,” Dukes said.

Note: When originally published, this article's headline incorrectly included the National Security Agency in the vulnerability disclosure.  The headline was updated on July 7.