UPDATED 22:58 EDT / AUGUST 26 2021

SECURITY

Vulnerabilities in F5 Networks software opens the door to hackers

Vulnerabilities in software from network traffic management and security firm F5 Networks Inc. could allow attackers to exploit F5 customers and steal data.

The vulnerabilities, most patched in new software updates, were disclosed by F5 on Wednesday. The 29 vulnerabilities run a gauntlet of issues, with the highest having a Common Vulnerability Scoring System score of 8.8. Thirteen of the 29 vulnerabilities were rated as high-severity.

The 8.8 vulnerability, formally named, CVE-2021-23031, affects BIG-IP Advanced WAF and BIG-IP ASM. The vulnerability would allow an authenticated user to perform a privilege escalation. Having gained access to the Configuration utility, an authenticated hacker could execute arbitrary system commands, create or delete files, or disable services. It’s noted that the vulnerability may result in complete system compromise.

F5 did warn, though, that because the main vulnerability can be accessed by any authenticated user, there’s no overall “viable mitigation.” Although it has patched the access path for a hacker, any legitimate authenticated user can still exploit the vulnerability. The only way to mitigate the risk is to remove access to any users who are not entirely trusted to have the access to begin with.

“Since F5’s products are used in many hosting and large enterprise applications, users should check the F5 advisories to check if their equipment is vulnerable,” Sean Nikkel, senior cyberthreat intelligence analyst at digital risk protection service provider Digital Shadows Ltd., told SiliconANGLE. “Attackers gaining control of any of those listed devices, specifically the web application firewall, could wreak havoc across an estate.”

With so many higher-level vulnerabilities listed, organizations must patch them as soon as possible or risk compromise to critical areas of the infrastructure, Nikkel added. “If it can’t be done, steps should be taken to mitigate the risk and at least deploy some of the best practice recommendations from F5, like allowing only trusted, authenticated users to access some of the applications,” he said.

Jonathan Chua, application security consultant at application security provider nVisium LLC, noted that F5 Big IP has been targeted by security researchers and adversaries.

“Several F5 application services can be hosted externally, allowing any internet user to attempt to connect to the service.,” Chua explained. “Due to the ease of accessibility and the amount of publicly known vulnerabilities associated with F5 applications, the service becomes a prime target for adversaries to break into a company’s network via the external perimeter.”

Yaniv Bar-Dayan, co-founder and chief executive of software-as-a-service cybesecurity risk remediation company Vulcan Cyber Ltd., said that “even though 29 vulnerabilities, with many being high severity, across several F5 devices may seem like a high number, it is par for the course for any notable enterprise tech provider and is a relative drop in the bucket considering the tens of thousands of vulnerabilities disclosed every year.”

Photo: F5 Networks

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.