Hackers Are Exploiting a 5-Alarm Bug In Networking Equipment (wired.com) 32
Andy Greenberg writes via Wired: Late last week, government agencies, including the United States Computer Emergency Readiness Team and Cyber Command, sounded the alarm about a particularly nasty vulnerability in a line of BIG-IP products sold by F5. The agencies recommended security professionals immediately implement a patch to protect the devices from hacking techniques that could fully take control of the networking equipment, offering access to all the traffic they touch and a foothold for deeper exploitation of any corporate network that uses them. Now some security companies say they're already seeing the F5 vulnerability being exploited in the wildâ"and they caution that any organization that didn't patch its F5 equipment over the weekend is already too late.
The F5 vulnerability, first discovered and disclosed to F5 by cybersecurity firm Positive Technologies, affects a series of so-called BIG-IP devices that act as load balancers within large enterprise networks, distributing traffic to different servers that host applications or websites. Positive Technologies found a so-called directory traversal bug in the web-based management interface for those BIG-IP devices, allowing anyone who can connect to them to access information they're not intended to. That vulnerability was exacerbated by another bug that allows an attacker to run a "shell" on the devices that essentially lets a hacker run any code on them that they choose. The result is that anyone who can find an internet-exposed, unpatched BIG-IP device can intercept and mess with any of the traffic it touches. Hackers could, for instance, intercept and redirect transactions made through a bank's website, or steal users' credentials. They could also use the hacked device as a hop point to try to compromise other devices on the network. Since BIG-IP devices have the ability to decrypt traffic bound for web servers, an attacker could even use the bug to steal the encryption keys that guarantee the security of an organization's HTTPS traffic with users, warns Kevin Gennuso, a cybersecurity practitioner for a major American retailer. While only a small minority of F5 BIG-IP devices are directly exploitable, Positive Technologies says that still includes 8,000 devices worldwide. "About 40 percent of those are in the U.S., along with 16 percent in China and single-digit percentages in other countries around the globe," reports Wired.
"Owners of those devices have had since June 30, when F5 first revealed the bug along with its patch, to update," adds Wired. "But many may not have immediately realized the seriousness of the vulnerability. Others may have been hesitant to take their load balancing equipment offline to implement an untested patch, points out Gennuso, for fear that critical services might go down, which would further delay a fix."
The F5 vulnerability, first discovered and disclosed to F5 by cybersecurity firm Positive Technologies, affects a series of so-called BIG-IP devices that act as load balancers within large enterprise networks, distributing traffic to different servers that host applications or websites. Positive Technologies found a so-called directory traversal bug in the web-based management interface for those BIG-IP devices, allowing anyone who can connect to them to access information they're not intended to. That vulnerability was exacerbated by another bug that allows an attacker to run a "shell" on the devices that essentially lets a hacker run any code on them that they choose. The result is that anyone who can find an internet-exposed, unpatched BIG-IP device can intercept and mess with any of the traffic it touches. Hackers could, for instance, intercept and redirect transactions made through a bank's website, or steal users' credentials. They could also use the hacked device as a hop point to try to compromise other devices on the network. Since BIG-IP devices have the ability to decrypt traffic bound for web servers, an attacker could even use the bug to steal the encryption keys that guarantee the security of an organization's HTTPS traffic with users, warns Kevin Gennuso, a cybersecurity practitioner for a major American retailer. While only a small minority of F5 BIG-IP devices are directly exploitable, Positive Technologies says that still includes 8,000 devices worldwide. "About 40 percent of those are in the U.S., along with 16 percent in China and single-digit percentages in other countries around the globe," reports Wired.
"Owners of those devices have had since June 30, when F5 first revealed the bug along with its patch, to update," adds Wired. "But many may not have immediately realized the seriousness of the vulnerability. Others may have been hesitant to take their load balancing equipment offline to implement an untested patch, points out Gennuso, for fear that critical services might go down, which would further delay a fix."
we have some stupid people out there.... (Score:4, Insightful)
no need to expose the management web interface to the interent. We have been using VLANs and private networks for decades, must be some young kid that says IPv6 means we will not need any more of those pesky firewalls...
Re:we have some stupid people out there.... (Score:4, Informative)
no need to expose the management web interface to the interent. We have been using VLANs and private networks for decades, must be some young kid that says IPv6 means we will not need any more of those pesky firewalls...
It's the same way with routers. Expose the administrative interface to the Internet? win valuable prizes.
It doesn't take a rocket surgeon to run internal and external port and vulnerability scans on Internet (or Intranet) devices.
Re: (Score:2)
The bug is a configuration issue with an Apache web server. By default, the Apache config does not allow path traversal execution bugs (I'm going based on my memory here), which means someone went out of their way to enable it. What is going on here? Why would you do that?
Re: we have some stupid people out there.... (Score:1)
5 Alarm ??? (Score:5, Funny)
Is "5 Alarm" the new "Zero Day" ?
I laugh at security "experts" who keep coming up with bullshit phrases like that.
Re: (Score:3)
Is "5 Alarm" the new "Zero Day" ?
I believe it means its really, really spicy. Possibly using ghost chilies.
Re: (Score:2)
Ghost chillies? Please. Carolina reapers or death!
(Carolina reapers are around 2 million Scoville. Ghost peppers are 1 million).
Though, yes, they can be death. See all the one-chip challenge things all over the internet (Carolina reaper seasoned chips).
Re: (Score:2)
Ghost chillies? Please. Carolina reapers or death!
(Carolina reapers are around 2 million Scoville. Ghost peppers are 1 million).
Though, yes, they can be death. See all the one-chip challenge things all over the internet (Carolina reaper seasoned chips).
I draw the line at habanero. You get some heat, but you also get some flavor without completely burning out your taste buds.
Re: (Score:2)
Maybe it ought to be an actual fire alarm. One (not me of course) has the image of fire trucks descending on some hapless company building. The firemen race to the entrance and break in with axes while their buddies are trailing behind with a fire hose. They find the server room door and break it too down with axes. They didn't have to as it was unlocked but it is important to make a grand entrance. They find the offensive piece of equipment and proceed to hose it down thoroughly. Then, a job well done, dec
Re: (Score:2)
I presumed it was a play on the name of the company. It's a F5 alarm.
Re: (Score:2)
No it is an F5 tornado Fujita Scale [wikipedia.org]
Might as well use the correct disaster scale
Re: (Score:2)
Tech geeks are hoping girls will mistake them for firefighters if they adopt enough of the lingo.
Re: (Score:1)
It reminds me of the Dept. of Homeland Security's alert color scheme, where they kept tinkering with the colors. The running joke was chartreuse meant terrorists with lisps.
Re: (Score:2)
But it really only two alarm, two and a half alarm tops.
They should put a firewall in front of it. (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I'm reminded of the John Oliver interview with Snowden.
"Does this mean the NSA has a picture of my junk?"
"I never thought of putting it in the context of your junk."
so-called "article" is so-called poorly written (Score:1)
I don't know if others found the copy of Andy Greenberg's summary grating, but for me, it was over the top. There are so-called "articles" and he seems to claim things in quotes weirdly, as well as being an author for the so-called Wired magazine. WTF?
It is not a "so-called BIG-IP" device, it IS a BIG-IP device.
what a hack, this is writing 101. And using a "so-called directory traversal bug" .. no, it's a directory traversal bug.
(sigh)
Re: (Score:2, Offtopic)
Journalism died a while ago. Even reputable news sites have clickbait headlines now.
Re: (Score:1)
There. Fixed that for you.
Re: so-called "article" is so-called poorly writte (Score:2)
Re: (Score:2)
5-Alarm Bug? (Score:1)
Re: (Score:2)
We just call it 5-Alarm to seem like a big man