Cyber security provider F-Secure in a blog post said it is advising organizations using F5 Networks’ BIG-IP load balancer, which is popular amongst governments, banks, and other large corporations, to address security issues.
F-Secure said adversaries can exploit these insecurely configured load balancers to penetrate networks and perform a wide variety of attacks against organizations, or individuals using web services managed by a compromised device.
The security issue is present in the Tcl programming language that BIG-IP’s iRules (the feature that BIG-IP uses to direct incoming web traffic) are written in. Certain coding practices allow attackers to inject arbitrary Tcl commands which could be executed in the security context of the target Tcl script.
Adversaries that exploit insecurely configured iRules can use the compromised BIG-IP device as a beachhead to launch further attacks, resulting in a potentially severe breach for an organization.
F-Secure said they could intercept and manipulate web traffic, leading to the exposure of sensitive information, including authentication credentials and application secrets, as well as allowing the users of an organization’s web services to be targeted and attacked.
“This configuration issue is quite severe because it’s stealthy enough for an attacker to get in, achieve a wide variety of objectives, and then cover their tracks,” said F-Secure Senior Security Consultant Christoffer Jerkeby.
Christoffer Jerkeby discovered over 300,000 active BIG-IP implementations on the internet during the course of his research, but due to methodological limitations, suspects the real number could be higher. Approximately 60 percent of the BIG-IP instances he found were in the United States.
F-Secure is offering free trial versions of the technology, while cloud instances can be accessed from the AWS store for a minimal cost.