Researchers are marveling at the scope and magnitude of a vulnerability that hackers are exploiting to take full control of network devices that run on some of the world's biggest and most sensitive networks.
The vulnerability affects F5's big-ip line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing into and out of networks. F5 says that 48 of the Fortune 50 use the gear discoverable online. Big-IP's proximity to network edges and their functions as devices that manage traffic for web server often allow them to see the contents of HTTPS-protected traffic.
Last week, F5 disclosed and patched a vulnerability that can be used to execute commands with root system privileges. The threat stems from a faulty implementation of the iControl REST, a set of web-based programming interface for configuring and managing big-ip devices.
The director of research and development at a security firm said that attackers with access to the management interface can pretend to be an administrator.
AdvertisementThere are images floating around that show how hackers can use the exploit to access an F5 application endpoint. The function is to provide an interface for running user-supplied input as a bash command with root privileges.
When no password is supplied, exploits also work, even though many images show exploit code. The image quickly drew the attention of researchers who marveled at the power of an exploit that allows the execution of root commands without a password. Some wondered how this powerful could have been so poorly locked down.
To summarize:- The /mgmt/tm/util/bash endpoint is a feature that was decided was necessary- No authentication is required for this endpoint- The web server runs as rootAnd all of this passed the sanity checks at F5 and the product was shipped for $$$$
Am I missing anything? pic.twitter.com/W55w0vMTAi