F5, Cisco admins: Stop what you're doing and check if you need to install these patches

BIG-IP iControl authentication bypass, NFV VM escape, and more


Updated F5 Networks and Cisco this week issued warnings about serious, and in some cases critical, security vulnerabilities in their products.

F5 officials said Thursday its most serious issue, a critical flaw in its iControl REST framework with a severity score of 9.8 out of 10, could be exploited to bypass the authentication software, used by its BIG-IP portfolio, and hijack equipment. Specifically, the vulnerability, tracked as CVE-2022-1388, can be abused by miscreants to, among other things, run malicious commands on BIG-IP devices via their management ports unimpeded.

"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services," as F5 put it in its advisory. "There is no data plane exposure; this is a control plane issue only."

Judging from a search on Shodan.io, there were almost 16,000 BIG-IP products exposed to the public internet that were seemingly vulnerable to the flaw, which the vendor discovered internally. F5 released fixes for five versions of BIG-IP – v16.1.2.2, v15.1.5.1, v14.1.4.6 and v13.1.5 – to address the security weakness. Version 17 is not known to be vulnerable. The company encouraged users that are running at-risk versions to upgrade as soon as possible.

Until then, F5 outlined several temporary mitigations, including blocking access to the iControl REST interface via self IP addresses, restricting management access only to trusted users and devices over a secure network, or modifying the BIG-IP httpd configuration.

F5's BIG-IP portfolio includes hardware and software designed to ensure application performance, security, and availability through such tools as access policy and advanced firewall managers, web application firewalls, an SSL orchestrator, and local traffic manager. iControl REST enables rapid interaction between the F5 device and the user or a suitable script.

And Cisco's got issues, too

F5's alert came a day after Cisco officials warned about several severity 9.9 security flaws in its Enterprise NFV Infrastructure Software (NFVIS) that could, among things, allow authenticated, remote attackers to escape from a guest virtual machine (VM) and into the host system. The bad actors could then run commands with root privileges or leak system data from the host.

Typically in an NFV environment, the guest VMs are created, configured, and controlled by the network operator; in other words, this sort of security hole would be exploited by a rogue insider or someone who has already managed to compromise one of the host's virtual machines.

"The vulnerabilities are not dependent on one another," Cisco's Product Security Incident Response Team (PSIRT) added in its advisory. "Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities."

For its part, Cisco detailed three vulnerabilities – tracked as CVE-2022-20777, CVE-2022-20779, and CVE-2022-20780, found by a team calling itself the Orange Group – in its Enterprise NFVIS, which enables virtual network functions to be managed independently. Organizations can use the software to choose how to deploy Cisco's Enterprise NFV offering and on what platform.

A flaw in the Next Generation Input/Output (NGIO) feature can be abused by an attacker to escape from a guest VM and gain root-level access to the host by making an API call. Another vulnerability in the image registration process would allow a miscreant to inject commands that also execute at the root level by persuading an administrator on the host machine to install a VM image with crafted metadata.

The third flaw is in the import function.

"An attacker could exploit this vulnerability by persuading an administrator to import a crafted file that will read data from the host and write it to any configured VM," Cisco PSIRT wrote. "A successful exploit could allow the attacker to access system information from the host, such as files containing user data, on any configured VM."

Both companies have released fixes for the vulnerabilities. For NFVIS, net admins should upgrade to version 4.7.1 or higher. Cisco said it was not aware of any active exploitation of the flaws.

The US Cybersecurity and Infrastructure Agency (CISA) in a statement urged F5 customers to apply the aforementioned updates or use the workarounds to protect against attackers.

Less haste, more speed for fixes

It's imperative that organizations patch the vulnerabilities, though the work can't stop there, according to Greg Fitzgerald, co-founder of asset management platform vendor Sevco Security.

"The most significant risk for enterprises isn't the speed at which they are applying critical patches; it comes from not applying the patches on every asset," Fitzgerald told The Register. "The simple fact is that most organizations fail to maintain an up-to-date and accurate IT asset inventory, and the most fastidious approach to patch management cannot ensure that all enterprise assets are accounted for."

Companies can't patch something that they don't know is there and "attackers have figured out that the easiest path to accessing your network and your data is often through unknown or abandoned IT assets," he said.

As IT becomes increasingly distributed across the data center, clouds and edge and remote workforces are more common, and the demand for network security is growing. Analysts with Fortune Business Insights are predicting the global networking security market will jump from $22.6 billion this year to $53.11 billion by 2029. ®

Updated to add

Since F5 Networks last week announced a critical vulnerability in the iControl REST authentication framework in the vendor’s BIG-IP networking modules, threat actors and cybersecurity experts alike have been hard at work trying to exploit it.

Security researchers over the weekend said they were successful remote code execution (RCE) flaw tracked as CVE-2022-1388, which carries as severity score of 9.8 out of 10. If exploited, a hacker could gain initial access into a system and then take control of it, opening it up to a range of attacks.

Security teams from such companies as Horizon3.ai and Positive Technologies said on Twitter over the week that they were able to develop proof-of-concept exploits. In its tweet, the experts at Horizon3.ai wrote that the vulnerability “is trivial to exploit. We spent some time chasing unrelate diffs within the newest version, but [exploit developer James Horseman] ultimately got first blood.”

The vendor said it would release a POC this week to give organizations more time to patch. However, some are also seeing exploitation attempts in the wild, including many against the management interface.

Researcher Kevin Beaumont tweeted that he has seen attacks that didn’t target the interface, adding that “if you configured [the] F5 box as a load balancer and firewall via self IP it is also vulnerable so this may get messy.”

German Fernandez, a security researcher with Cronup, detected bad actors installing PHP webshells that could lead to other attacks, including ransomware.

Some also questioned how the vulnerability got into the software give how easy it is to exploit. Jake Williams, executive director of cyberthreat intelligence at Scythe, said he wasn’t “entirely unconvinced that this code wasn't planted by a developer performing corporate espionage for an incident response firm as some sort of revenue guarantee scheme.”

F5 issued a fix for the vulnerability last week and urged users to patch their systems ASAP, particularly given that there are thousands of BIG-IP machines exposed on the internet.

In a statement to The Register, F5 said, “We are aware exploits for CVE-2022-1388 have been publicly posted and there are active attacks against the vulnerability. If customers have not already done so, we strongly recommend updating to a fixed version of BIG-IP or implementing one of the mitigations detailed in the security advisory.”


Other stories you might like

  • Will this be one of the world's first RISC-V laptops?
    A sneak peek at a notebook that could be revealed this year

    Pic As Apple and Qualcomm push for more Arm adoption in the notebook space, we have come across a photo of what could become one of the world's first laptops to use the open-source RISC-V instruction set architecture.

    In an interview with The Register, Calista Redmond, CEO of RISC-V International, signaled we will see a RISC-V laptop revealed sometime this year as the ISA's governing body works to garner more financial and development support from large companies.

    It turns out Philipp Tomsich, chair of RISC-V International's software committee, dangled a photo of what could likely be the laptop in question earlier this month in front of RISC-V Week attendees in Paris.

    Continue reading
  • Did ID.me hoodwink Americans with IRS facial-recognition tech, senators ask
    Biz tells us: Won't someone please think of the ... fraud we've stopped

    Democrat senators want the FTC to investigate "evidence of deceptive statements" made by ID.me regarding the facial-recognition technology it controversially built for Uncle Sam.

    ID.me made headlines this year when the IRS said US taxpayers would have to enroll in the startup's facial-recognition system to access their tax records in the future. After a public backlash, the IRS reconsidered its plans, and said taxpayers could choose non-biometric methods to verify their identity with the agency online.

    Just before the IRS controversy, ID.me said it uses one-to-one face comparisons. "Our one-to-one face match is comparable to taking a selfie to unlock a smartphone. ID.me does not use one-to-many facial recognition, which is more complex and problematic. Further, privacy is core to our mission and we do not sell the personal information of our users," it said in January.

    Continue reading
  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading

Biting the hand that feeds IT © 1998–2022