Jul 7, 2020 12:15 AM
https://www.wired.com/story/f5-big-ip-ne...erability/
EXCERPTS: Any company that uses a certain piece of networking equipment from Seattle-based F5 Networks had a rude interruption to their July 4 weekend, as a critical vulnerability turned the holiday into a race to implement a fix. Those who haven't done so by now may now have a much larger problem on their hands.
Late last week, government agencies [...] sounded the alarm about a particularly nasty vulnerability in a line of BIG-IP products sold by F5. The agencies recommended security professionals immediately implement a patch to protect the devices from hacking techniques that could fully take control of the networking equipment, offering access to all the traffic they touch and a foothold for deeper exploitation of any corporate network that uses them. Now some security companies say they're already seeing the F5 vulnerability being exploited in the wild -- and they caution that any organization that didn't patch its F5 equipment over the weekend is already too late.
"This is the pre-exploit window to patch slamming shut right in front of your eyes," wrote Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency, in a tweet Sunday afternoon. "If you didn’t patch by this morning, assume compromised."
[...] The result is that anyone who can find an internet-exposed, unpatched BIG-IP device can intercept and mess with any of the traffic it touches. Hackers could, for instance, intercept and redirect transactions made through a bank's website, or steal users' credentials. They could also use the hacked device as a hop point to try to compromise other devices on the network. Since BIG-IP devices have the ability to decrypt traffic bound for web servers, an attacker could even use the bug to steal the encryption keys that guarantee the security of an organization's HTTPS traffic with users, warns Kevin Gennuso, a cybersecurity practitioner for a major American retailer.
"It's really, really powerful," says Gennuso, who declined to name his employer but said that he'd spent much of the holiday weekend working to fix the security vulnerabilities in its F5 devices. "This is probably one of the most impactful vulnerabilities I’ve seen in my 20-plus years of information security, because of its depth and breadth and how many companies use these devices." (MORE - details)
EXCERPTS: Any company that uses a certain piece of networking equipment from Seattle-based F5 Networks had a rude interruption to their July 4 weekend, as a critical vulnerability turned the holiday into a race to implement a fix. Those who haven't done so by now may now have a much larger problem on their hands.
Late last week, government agencies [...] sounded the alarm about a particularly nasty vulnerability in a line of BIG-IP products sold by F5. The agencies recommended security professionals immediately implement a patch to protect the devices from hacking techniques that could fully take control of the networking equipment, offering access to all the traffic they touch and a foothold for deeper exploitation of any corporate network that uses them. Now some security companies say they're already seeing the F5 vulnerability being exploited in the wild -- and they caution that any organization that didn't patch its F5 equipment over the weekend is already too late.
"This is the pre-exploit window to patch slamming shut right in front of your eyes," wrote Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency, in a tweet Sunday afternoon. "If you didn’t patch by this morning, assume compromised."
[...] The result is that anyone who can find an internet-exposed, unpatched BIG-IP device can intercept and mess with any of the traffic it touches. Hackers could, for instance, intercept and redirect transactions made through a bank's website, or steal users' credentials. They could also use the hacked device as a hop point to try to compromise other devices on the network. Since BIG-IP devices have the ability to decrypt traffic bound for web servers, an attacker could even use the bug to steal the encryption keys that guarantee the security of an organization's HTTPS traffic with users, warns Kevin Gennuso, a cybersecurity practitioner for a major American retailer.
"It's really, really powerful," says Gennuso, who declined to name his employer but said that he'd spent much of the holiday weekend working to fix the security vulnerabilities in its F5 devices. "This is probably one of the most impactful vulnerabilities I’ve seen in my 20-plus years of information security, because of its depth and breadth and how many companies use these devices." (MORE - details)