After researchers discovered malicious in-the-wild attack operation, the urgency to fix gaping security holes in F5 Networks BIG-IP and BIG-IQ items increased over the weekend.
Malware researchers at the NCC Community in the United Kingdom are alert about mass scanning and “multiple penetration attempts” with exploits aimed at essential security vulnerabilities in F5 enterprise networking infrastructure products.
Because of the possibility of authentication bypass and remote code execution attacks, the vulnerabilities were patched on March 10 and are considered high-priority updates.
Proof-of-concept code began circulating less than a week after the patches were published, and NCC Group researchers announced that their honeypot infrastructure had been targeted by exploitation attempts over the weekend.
“This knowledge, combined with having reproduced the full exploit-chain we assess that a public exploit is likely to be available in the public domain soon,” NCC Group warned.
The researchers explain the exploitation path:
There are two steps to exploiting this weakness. To obtain an authenticated session token, first bypass authentication by exploiting the SSRF vulnerability. This authenticated session can then be used to communicate with REST API endpoints that need authentication in the first place.
The tm/util/bash endpoint is the most useful for an attacker since it enables a (authenticated) user to run commands with root privileges on the underlying server. However, since the REST API is configured for remote administration, there are numerous endpoints that an intruder might manipulate.
A command injection vulnerability in the tm/access/bundle-install-tasks REST endpoint was also patched as part of the F5 updates, which could be used as an alternative way to execute arbitrary commands once authentication has been bypassed.
Suricata network rules were also released by NCC Group to assist defenders in mitigating this challenge.
CISA (Cybersecurity and Infrastructure Security Agency (CISA) of the United States government also provided an advisory to stress the importance of updating F5’s advisory and implementing the updates.