Lucene search

threatpostLindsey O'DonnellTHREATPOST:BC4ECD6616ADCCFFD5717D0A9A0D065B
HistoryMar 19, 2021 - 8:52 p.m.

Critical F5 BIG-IP Flaw Now Under Active Attack

Lindsey O'Donnell





Attackers are exploiting a recently-patched, critical vulnerability in F5 devices that have not yet been updated.

The unauthenticated remote command execution flaw (CVE-2021-22986) exists in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure, and could allow attackers to take full control over a vulnerable system.

Earlier in March, F5 issued a patch for the flaw, which has a CVSS rating of 9.8 and exists in the iControl REST interface. After the patch was issued, several researchers posted proof-of-concept (PoC) exploit code after reverse engineering the Java software patch in BIG-IP.

Fast forward to this week, researchers reported mass scanning for – and in-the-wild exploitation of – the flaw.

“Starting this week and especially in the last 24 hours (March 18th, 2021) we have observed multiple exploitation attempts against our honeypot infrastructure,” said researchers with the NCC Group on Thursday. “This knowledge, combined with having reproduced the full exploit-chain we assess that a public exploit is likely to be available in the public domain soon.”

CISA, Researchers Urge Updating

The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged companies using BIG-IP and BIG-IQ to fix the critical F5 flaw, along with another bug being tracked as CVE-2021-22987. This flaw, with a CVSS rating of 9.9, affects the infrastructure’s Traffic Management User Interface (TMUI), also referred to as the Configuration utility. When running in Appliance mode, the TMUI has an authenticated RCE vulnerability in undisclosed pages.

> Opportunistic mass scanning activity detected from the following hosts checking for F5 iControl REST endpoints vulnerable to remote command execution (CVE-2021-22986).
> (🇨🇳) (🇭🇰) (🇨🇳)
> Vendor advisory: <; #threatintel
> — Bad Packets (@bad_packets) March 19, 2021

The scenario is particularly urgent as F5 provides enterprise networking to some of the largest tech companies in the world, including Facebook, Microsoft and Oracle, as well as to a trove of Fortune 500 companies, including some of the world’s biggest financial institutions and ISPs.

“The F5 BIG-IP is a very juicy target due to the fact that it can handle highly sensitive data,” said Craig Young, principal security researcher at Tripwire in an email. “An attacker with full control over a load balancing appliance can also take control over the web applications served through it.”

It’s not clear who is behind the exploitations; Threatpost has reached out to NCC Group for further comment.

Other Active Exploits of F5 Flaws

Security experts in July urged companies to deploy an urgent patch for a critical vulnerability in F5 Networks’ networking devices, which was being actively exploited by attackers to scrape credentials, launch malware and more. The critical remote code-execution flaw (CVE-2020-5902) had a CVSS score of 10 out of 10.

And in September, the U.S. government warned that Chinese threat actors successfully compromised several government and private sector entities by exploiting vulnerabilities in F5 BIG-IP devices (as well as Citrix and Pulse Secure VPNs and Microsoft Exchange servers).

For this latest rash of exploit attempts, anyone running an affected version of BIG-IP should prioritize upgrade, said Young.

“Any organization running BIG-IP or other network appliance with the management access exposed to the Internet should be re-evaluating their network layout and bringing those assets onto private networks,” he said.

Register for this LIVE Event: 0-Day Disclosures: Good, Bad & Ugly:On Mar. 24 at 2 p.m. ET, Threatpost tackles how vulnerability disclosures can pose a risk to companies. To be discussed, Microsoft 0-days found in Exchange Servers. Join 0-day hunters from Intel Corp. and veteran bug bounty researchers who will untangle the 0-day economy and unpack what’s on the line for all businesses when it comes to the disclosure process. Register NOW for this**LIVE **webinar on Wed., Mar. 24.