Freely subscribe to our NEWSLETTER

The security issue is present in the Tcl programming language that BIG-IP’s iRules (the feature that BIG-IP uses to direct incoming web traffic) are written in. Certain coding practices allow attackers to inject arbitrary Tcl commands which could be executed in the security context of the target Tcl script.

Adversaries that successfully exploit such insecurely configured iRules can use the compromised BIG-IP device as a beachhead to launch further attacks, resulting in a potentially severe breach for an organization. They could also intercept and manipulate web traffic, leading to the exposure of sensitive information, including authentication credentials and application secrets, as well as allowing the users of an organization’s web services to be targeted and attacked.

In some cases, exploiting a vulnerable system can be as simple as submitting a command or piece of code as part of a web request, that the technology will execute for the attacker. To make matters worse, there are cases where the compromised device will not record the adversaries’ actions, meaning there would be no evidence that an attack took place. In other cases, an attacker could delete logs that contain evidence of their post-exploit activities – severely hindering any incident investigations.

“This configuration issue is really quite severe because it’s stealthy enough for an attacker to get in, achieve a wide variety of objectives, and then cover their tracks. Plus, many organizations aren’t prepared to find or fix issues that are buried deep in software supply chains, which adds up to a potentially big security problem,” explains F-Secure Senior Security Consultant Christoffer Jerkeby. “Unless you know what to look for, it’s tough to foresee this problem occurring, and even harder to deal with in an actual attack.”

Jerkeby discovered over 300,000 active BIG-IP implementations on the internet during the course of his research, but due to methodological limitations, suspects the real number could be higher. Approximately 60 percent of the BIG-IP instances he found were in the United States.

The coding flaw and class of vulnerability is not novel and has been known, along with other command injection vulnerabilities in other popular languages, for some time. Not everyone using BIG-IP will be affected, but the load balancer’s popularity amongst banks, governments, and other entities that provide online services to large numbers of people, combined with the relative obscurity of the underlying security issues with Tcl, means any organization using BIG-IP needs to investigate and assess their exposure.

“Unless an organization has done an in-depth investigation of this technology, there’s a strong chance they’ve got this problem,” says Jerkeby. “Even someone incredibly knowledgeable about security that works at a well-resourced company can make this mistake. So, spreading awareness about the issue is really important if we want to help organizations better protect themselves from a potential breach scenario.”

Recommendations for organizations

Because it is possible to mass scan the internet to identify and exploit vulnerable instances of the technology, and in some cases, automate this process, the issue is likely to attract attention from bug bounty hunters and attackers. Furthermore, free trial versions of the technology can be obtained from the vendor, and cloud instances can be accessed from the AWS store for a minimal cost. For these reasons, as well as the potentially severe impact of attacks using this flaw, F-Secure is advising organizations to proactively investigate whether or not they’re affected.

Jerkeby has helped develop some free, open-source tools that organizations can use to identify insecure configurations in their BIG-IP implementations. But according to Jerkeby, there’s no quick fix for security issues like these, so it’s up to organizations to tackle the issue.

“The upside of this kind of security problem is that not everyone using the product will be affected. But the downside is that the problem can’t be fixed with a patch or software update from the vendor, so it’s up to organizations to do the work to check to see if they have this issue, and fix it if they find it,” explains Jerkeby. “That’s why it’s important for anyone using BIG-IP to be proactive about this.”