In May 2019 (updated in June), F5 issued a security advisory about a potential injection issue in the Tool Command Language (TCL) as used with its BIG-IP load balancers. Load balancers are essential to ensure consistent web services in high volume circumstances, and BIG-IP is popular with banks, governments and large corporations.
The issue cannot be patched. “This is not a vulnerability in Tcl, or F5 products, but rather an issue relating to coding practices used when writing Tcl code,” explained F5 in its advisory. The effect, however, could give an attacker access to the load balancer and its hosting device, the ability to read passing traffic (including user credentials), and the potential to use this as a beachhead for gaining access to the internal network.
The inability to patch the problem and the difficulty for companies to know whether their own code exposes the problem, prompted the flaw finder, F-Secure’s senior security consultant Christoffer Jerkeby to publish a paper on his findings. His research team discovered more than 300,000 worldwide active BIG-IP implementations (around 60% of them in the U.S.), but believes the true figure could be considerably higher.
The security issue is present with BIG-IP’s iRules. iRules allows operators to direct traffic based on header data and content type in order to customize content switching to exact needs. iRules are coded in TCL by the operator, and the problem arises because coding practices accepted as normal elsewhere could here lead to an injection potential.
While not every BIG-IP user will be vulnerable, depending on the exact iRules code developed, “the obscure nature of the underlying issue means most organizations need to investigate and verify whether or not they’re affected,” says Jerkeby.
If the flaw exists, exploitation could be as simple as submitting a command or piece of code as part of a web request. Three steps would normally be involved: identify a field where the iRules substitute a command; test the injection location using the ‘info’ command; and pivot to external resources to establish persistence.
This process will compromise the device hosting the BIG-IP software, which can then be used as a beachhead to launch further attacks. In some exploitations, the attacker’s actions may not be logged; in other cases, the attacker can delete the logs, making post-exploit incident investigations difficult.
The problem for the BIG-IP user is in knowing whether the condition exists. “This configuration issue is really quite severe because it’s stealthy enough for an attacker to get in, achieve a wide variety of objectives, and then cover their tracks. Plus, many organizations aren’t prepared to find or fix issues that are buried deep in software supply chains, which adds up to a potentially big security problem,” explains Jerkeby in an associated blog. “Unless you know what to look for, it’s tough to foresee this problem occurring, and even harder to deal with in an actual attack.”
With no available patch, and the possibly time-related reluctance of companies to dig deep into obscure coding issues that seem to be working fine, F-Secure is concerned about the mass exploitation against major industries. “Because it is possible to mass scan the internet to identify and exploit vulnerable instances of the technology, and in some cases, automate this process, the issue is likely to attract attention from bug bounty hunters and attackers,” says the firm.
Technical details on the flaw and injection conditions, and open source tools to aid in identifying insecure configurations, can be found in both Jerkeby’s paper and the F5 advisory; but the flaws must be found and mitigated by each user. “The upside of this kind of security problem is that not everyone using the product will be affected. But the downside is that the problem can’t be fixed with a patch or software update from the vendor, so it’s up to organizations to do the work to check to see if they have this issue, and fix it if they find it,” says Jerkeby. “That’s why it’s important for anyone using BIG-IP to be proactive about this.”
Related: F5 Networks to Acquire NGINX for $670 Million
Related: SQL Injection Vulnerability Exposed Starbucks Financial Records
Related: F-Secure Acquires MWR InfoSecurity for $106 Million
Related: F-Secure Unveils New Endpoint Detection & Response Solution
