This article is more than 1 year old
F5, Cisco admins: Stop what you're doing and check if you need to install these patches
BIG-IP iControl authentication bypass, NFV VM escape, and more
Updated F5 Networks and Cisco this week issued warnings about serious, and in some cases critical, security vulnerabilities in their products.
F5 officials said Thursday its most serious issue, a critical flaw in its iControl REST framework with a severity score of 9.8 out of 10, could be exploited to bypass the authentication software, used by its BIG-IP portfolio, and hijack equipment. Specifically, the vulnerability, tracked as CVE-2022-1388, can be abused by miscreants to, among other things, run malicious commands on BIG-IP devices via their management ports unimpeded.
"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services," as F5 put it in its advisory. "There is no data plane exposure; this is a control plane issue only."
Judging from a search on Shodan.io, there were almost 16,000 BIG-IP products exposed to the public internet that were seemingly vulnerable to the flaw, which the vendor discovered internally. F5 released fixes for five versions of BIG-IP – v16.1.2.2, v15.1.5.1, v14.1.4.6 and v13.1.5 – to address the security weakness. Version 17 is not known to be vulnerable. The company encouraged users that are running at-risk versions to upgrade as soon as possible.
Until then, F5 outlined several temporary mitigations, including blocking access to the iControl REST interface via self IP addresses, restricting management access only to trusted users and devices over a secure network, or modifying the BIG-IP httpd configuration.
F5's BIG-IP portfolio includes hardware and software designed to ensure application performance, security, and availability through such tools as access policy and advanced firewall managers, web application firewalls, an SSL orchestrator, and local traffic manager. iControl REST enables rapid interaction between the F5 device and the user or a suitable script.
And Cisco's got issues, too
F5's alert came a day after Cisco officials warned about several severity 9.9 security flaws in its Enterprise NFV Infrastructure Software (NFVIS) that could, among things, allow authenticated, remote attackers to escape from a guest virtual machine (VM) and into the host system. The bad actors could then run commands with root privileges or leak system data from the host.
Typically in an NFV environment, the guest VMs are created, configured, and controlled by the network operator; in other words, this sort of security hole would be exploited by a rogue insider or someone who has already managed to compromise one of the host's virtual machines.
"The vulnerabilities are not dependent on one another," Cisco's Product Security Incident Response Team (PSIRT) added in its advisory. "Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities."
For its part, Cisco detailed three vulnerabilities – tracked as CVE-2022-20777, CVE-2022-20779, and CVE-2022-20780, found by a team calling itself the Orange Group – in its Enterprise NFVIS, which enables virtual network functions to be managed independently. Organizations can use the software to choose how to deploy Cisco's Enterprise NFV offering and on what platform.
A flaw in the Next Generation Input/Output (NGIO) feature can be abused by an attacker to escape from a guest VM and gain root-level access to the host by making an API call. Another vulnerability in the image registration process would allow a miscreant to inject commands that also execute at the root level by persuading an administrator on the host machine to install a VM image with crafted metadata.
- Critical vulnerabilities found in 'millions of Aruba and Avaya switches'
- Microsoft fixes cross-account vulns in Azure Database for PostgreSQL service
- Five Eyes nations reveal 2021's fifteen most-exploited flaws
- Microsoft points at Linux and shouts: Look, look! Privilege-escalation flaws here, too!
The third flaw is in the import function.
"An attacker could exploit this vulnerability by persuading an administrator to import a crafted file that will read data from the host and write it to any configured VM," Cisco PSIRT wrote. "A successful exploit could allow the attacker to access system information from the host, such as files containing user data, on any configured VM."
Both companies have released fixes for the vulnerabilities. For NFVIS, net admins should upgrade to version 4.7.1 or higher. Cisco said it was not aware of any active exploitation of the flaws.
The US Cybersecurity and Infrastructure Agency (CISA) in a statement urged F5 customers to apply the aforementioned updates or use the workarounds to protect against attackers.
Less haste, more speed for fixes
It's imperative that organizations patch the vulnerabilities, though the work can't stop there, according to Greg Fitzgerald, co-founder of asset management platform vendor Sevco Security.
"The most significant risk for enterprises isn't the speed at which they are applying critical patches; it comes from not applying the patches on every asset," Fitzgerald told The Register. "The simple fact is that most organizations fail to maintain an up-to-date and accurate IT asset inventory, and the most fastidious approach to patch management cannot ensure that all enterprise assets are accounted for."
Companies can't patch something that they don't know is there and "attackers have figured out that the easiest path to accessing your network and your data is often through unknown or abandoned IT assets," he said.
As IT becomes increasingly distributed across the data center, clouds and edge and remote workforces are more common, and the demand for network security is growing. Analysts with Fortune Business Insights are predicting the global networking security market will jump from $22.6 billion this year to $53.11 billion by 2029. ®
Updated to add
Since F5 Networks last week announced a critical vulnerability in the iControl REST authentication framework in the vendor’s BIG-IP networking modules, threat actors and cybersecurity experts alike have been hard at work trying to exploit it.
Security researchers over the weekend said they were successful remote code execution (RCE) flaw tracked as CVE-2022-1388, which carries as severity score of 9.8 out of 10. If exploited, a hacker could gain initial access into a system and then take control of it, opening it up to a range of attacks.
Security teams from such companies as Horizon3.ai and Positive Technologies said on Twitter over the week that they were able to develop proof-of-concept exploits. In its tweet, the experts at Horizon3.ai wrote that the vulnerability “is trivial to exploit. We spent some time chasing unrelate diffs within the newest version, but [exploit developer James Horseman] ultimately got first blood.”
The vendor said it would release a POC this week to give organizations more time to patch. However, some are also seeing exploitation attempts in the wild, including many against the management interface.
Researcher Kevin Beaumont tweeted that he has seen attacks that didn’t target the interface, adding that “if you configured [the] F5 box as a load balancer and firewall via self IP it is also vulnerable so this may get messy.”
German Fernandez, a security researcher with Cronup, detected bad actors installing PHP webshells that could lead to other attacks, including ransomware.
Some also questioned how the vulnerability got into the software give how easy it is to exploit. Jake Williams, executive director of cyberthreat intelligence at Scythe, said he wasn’t “entirely unconvinced that this code wasn't planted by a developer performing corporate espionage for an incident response firm as some sort of revenue guarantee scheme.”
F5 issued a fix for the vulnerability last week and urged users to patch their systems ASAP, particularly given that there are thousands of BIG-IP machines exposed on the internet.
In a statement to The Register, F5 said, “We are aware exploits for CVE-2022-1388 have been publicly posted and there are active attacks against the vulnerability. If customers have not already done so, we strongly recommend updating to a fixed version of BIG-IP or implementing one of the mitigations detailed in the security advisory.”