Critical F5 Bug Could Lead to Wide Range of Malicious Actions

F5 has fixed more than a dozen high-severity vulnerabilities in its networking device, one of them being elevated to critical severity under specific conditions. The issues are part of this month’s delivery of security updates, which addresses almost 30 vulnerabilities for multiple F5 devices.

These vulnerabilities are affecting multiple versions of BIG-IP and BIG-IQ devices that could potentially allow an attacker to perform a wide range of malicious actions.


Experts reacted to this latest string of vuln patches.


Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions:

"Since F5's products are used in many hosting and large enterprise applications, users should check the F5 advisories to check if their equipment is vulnerable. Attackers gaining control of any of those listed devices, specifically the web application firewall, could wreak havoc across an estate. With so many higher-level vulnerabilities listed, organizations must patch them as soon as possible or risk compromise to critical areas of the infrastructure. If it can't be done, steps should be taken to mitigate the risk and at least deploy some of the best practice recommendations from F5, like allowing only trusted, authenticated users to access some of the applications."

Michael Haugh, Vice President at Gluware, a Sacramento, Calif.-based provider of network automation solutions:

"NetOps teams are under the gun to keep the network highly available, secure and delivering the required performance for the business applications. Known vulnerabilities create a challenge to respond quickly to implement any available workaround or fix. Vendor vulnerabilities that require an OS Upgrade or patch can be very labor-intensive and potentially disruptive. In the case of a load balancer like F5, redundancy must be part of the device and traffic must be re-directed off an active device taking it out of service to perform an upgrade. This process often has to be repeated over dozens or even hundreds of devices depending on the organization. Having automated processes to pre-check, stage the image, gracefully execute the upgrades and complete post-checks can significantly improve the ability for NetOps to respond and execute a low-risk upgrade."

Jonathan Chua, Application Security Consultant at nVisium, a Falls Church, Virginia-based application security provider:

"F5 Big IP has been targeted by security researchers and adversaries due to the vulnerable, external nature of the product. Several F5 application services can be hosted externally, allowing any internet user to attempt to connect to the service. Due to the ease of accessibility and the amount of publicly known vulnerabilities associated with F5 applications, the service becomes a prime target for adversaries to break into a company's network via the external perimeter. An example of this is the F5 Traffic Management User Interface (TMUI), which is being actively exploited by adversaries. This service is often available on a company's external perimeter and contains a critical remote code execution vulnerability. As a result, if the service is exploited, such service may provide external attackers an initial foothold in a company's internal network."

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation:

"Even though 30 vulnerabilities, with many being high severity, across several F5 devices may seem like a high number, it is par for the course for any notable enterprise tech provider and is a relative drop in the bucket considering the tens of thousands of vulnerabilities disclosed every year. IT security teams struggle every day to understand their company’s risk posture and to prioritize the most-critical vulnerabilities for remediation and mitigation. But risk management and vulnerability prioritization is essential to effective cyber hygiene and proactive defense of any enterprise network."


###