Hit F5 to Refresh

Last week, F5 came clean that security researcher Mikhail Klyuchnikov at Positive Technologies had discovered a critical vulnerability in the Traffic Management interface of F5’s BIG-IP device range. This vulnerability allows for total compromise of affected systems by unauthenticated attackers from across the internet, scoring it a 10 on the Common Vulnerability Scoring System.

F5 released their security advisory on 01 July. As soon as methods to test for this issue became public, we offered all our clients a complimentary scan to determine whether they were affected. We were able to notify customers of our Oversight product even sooner, due to its continuous monitoring capabilities.

The vulnerability itself is an authorisation bypass, which enables multiple further attacks. Notably, this vulnerability enables unauthenticated remote code execution. Judging by the work done by Critical Start (diffing the updates issued by F5) the vulnerability looks like a configuration issue. Researcher Mikhail Klyuchnikov said:

“a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution. The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and [..] completely compromise the system”

Researchers Rich Mirch and Chase Dardaman at Critical Start quickly found mitigations supplied by F5 technologies were inadequate – so a full patch of all affected systems is advised.