The cybersecurity firms NCC Group and Bad Packets reported that there were concerted efforts by attackers to exploit the critical vulnerability in F5 systems. Subsequently, massive scanning activities were detected after researchers published proof-of-concept (PoC) code online.
The researchers observed that cyber attacks targeting F5 critical vulnerabilities peaked within 24 hours after the PoC code was released. Meanwhile, F5 released security updates for various vulnerabilities targeted by unidentified hackers.
The vulnerabilities pose significant risks because F5 enterprise networking solutions are present in 48 out of Fortune 50 companies, including Microsoft, Oracle, Facebook, major ISPs, financial institutions, telecoms, and healthcare providers.
Attackers escalate cyber attacks on F5 BIG-IP and BIG-IQ critical vulnerabilities
Researchers from the NCC Group said they observed “multiple exploitation attempts” targeting their decoys. They expected full exploitation of the F5 critical vulnerabilities in the wild soon.
“Starting this week and especially in the last 24 hours (March 18th, 2021) we have observed multiple exploitation attempts against our honeypot infrastructure,” NCC Group researchers said on Thursday. “This knowledge, combined with having reproduced the full exploit-chain we assess that a public exploit is likely to be available in the public domain soon.”
The F5 BIG-IP and BIG-IQ vulnerability CVE-2021-22986 is an unauthenticated remote code execution vulnerability with a CVSS score of 9.8. An attacker could exploit this vulnerability to take total control of a vulnerable system.
The vulnerability affects F5 iControl REST endpoints. F5 says an attacker could only exploit the vulnerability through the control plane but not via the data plane.
The NCC Group also released indicators of compromise (IoC) on its blog after experiencing “full chain exploitation of F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities.”
Users advised to install F5 Big-IP updates promptly
F5 released updates and advised all their customers to update their BIG-IP and BIG-IQ systems with a fixed version.
“To fully remediate the critical vulnerabilities, all BIG-IP customers will need to update to a fixed version,” the company said.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency (DHS – CISA) advised organizations to patch the vulnerability alongside the Traffic Management User Interface (TMUI) flaw, CVE-2021-22987, having a CVSS score of 9.9.
In July 2020, the Seattle, Washington-based tech firm warned organizations that failed to install TMUI security updates for CVE-2020-5902 shortly after release to consider themselves potentially hacked and initiate their incident response procedures.
Remote code execution and denial of service attacks possible without authentication
When running in Appliance Mode, CVE-2021-22987 allows an attacker to execute remote code without authenticating on vulnerable systems.
Attackers also exploited another F5 remote code-execution vulnerability CVE-2020-5902 on the TMUI to steal credentials and install malware on vulnerable F5 networks. The vulnerability has a CVSS V2 score of 10 and a CVSS V3 score of 9.8.
CVE-2021-22991 has a CVSS v3 score of 9.0. It causes a buffer overflow, which an attacker could exploit to execute a denial-of-service (DoS) cyber attack, execute remote commands (RCE), and bypass URL-based access control.
Similarly, CVE-2021-22992 has a CVSS 9.0 and could be used to carry out remote code execution or execute a denial-of-service cyber attack. An attacker only needs to send HTTP requests to the Advanced WAF/BIG-IP ASM virtual server.
The company released another list of 14 unrelated vulnerabilities, including some high and medium severity flaws on March 10, 2021. It seems that F5 could take a while before addressing all the critical vulnerabilities affecting its software.
No specific hacking groups associated with F5 BIG-IP attacks
The cyber security firms could not associate the attempted exploitation of F5 critical vulnerabilities to any threat actor. However, many scanning attempts originated from hosts located in China and Hong Kong.
A principal security researcher at NCC Group, Rich Warren, said the attackers sprayed hacking attempts on the internet without targeting specific organizations.
“The threat landscape for connected products has become complicated and multi-dimensional,” says Asaf Karas, Co-Founder and CTO of Vdoo. “Networking devices such as load balancers and access gateways are desirable targets for threat actors, as they’re used to control the traffic in and out of large corporate networks, government agencies, data centers, and across ISP infrastructure. Once inside the network, attackers can perform a MITM attack and manipulate the data transferred through the F5 device as well as move laterally to take control of critical resources and data.”
Karas says that remote code execution cyber attacks are the most common exploits his company observes in the wild.
“In this vulnerability, we see a failure to filter user input for special shell characters and then taking that input as a parameter to a shell command (in this case, the “tar” archive utility) for execution. Moreover, this command is executed with root permissions, giving the attacker complete control of the device OS,” Karas concluded.