Customers urged to update after RCE and XSS vulnerabilities unearthed

Coding script on blue-green background

UPDATED F5 has patched a critical remote-code execution (RCE) vulnerability in its BIG-IP application delivery controller (ADC) that puts many of the world’s biggest companies at risk.

The application services giant has also fixed an authenticated vulnerability that could lead to cross-site scripting (XSS) attacks.

Attackers who exploit the pre-authorization RCE flaw “can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network”, said Mikhail Klyuchnikov, a security researcher at Positive Technologies who discovered the flaw, in a post published yesterday (July 2).

Shodan peril

To exploit the RCE flaw, which was found in the ADC’s configuration interface, an attacker with access to the BIG-IP configuration utility “needs to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration”, according to the article.

Klyuchnikov said RCE can result “from security flaws in multiple components, such as one that allows directory traversal exploitation. This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan.

“Fortunately,” he added, “most companies using the product do not enable access to the interface from the internet.”

The high severity XSS bug – also found in the BIG-IP configuration interface – allows attackers to run malicious JavaScript code, but only if they have administrator privileges and access to Advanced Shell (bash).

More than 8,000 devices are vulnerable globally, revealed threat intelligence monitoring conducted by UK-based Positive Technologies.

Some 40% of those devices are based in the US, 16% are in China, 3% in Taiwan, and 2.5% in Canada and Indonesia.

Mediating communication between servers and their clients, ADCs boost the performance of web applications using techniques such as load balancing, caching, compression, and offloading SSL processing.

Updates and mitigations

Affected companies – those running versions 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, or 15.1.x – are urged to update to the corresponding, patched versions of BIG-IP: 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4.

Users of public cloud marketplaces such as AWS, Azure, GCP, and Alibaba are advised to switch to BIG-IP Virtual Edition (VE) versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, or 15.1.0.4, if available.

Organizations unable to update immediately can mitigate the RCE flaw by adding a LocationMatch configuration element to httpd, and blocking access to the TMUI of their BIG-IP system via Self IPs.

An F5 security advisory provides details on how to perform these actions.

Restricting management access to F5 products over a secure network can help mitigate both flaws.

Users can further protect against the XSS vulnerability by limiting shell access to trusted users, with further instructions included in a separate advisory.

“In addition to the advisory,” F5 is notifying “customers directly through email”, a spokesperson for F5 told The Daily Swig.

F5, which is headquartered in Seattle, has 85 offices in 43 countries and says its application security services are used by 48 of the Fortune 50 companies.

Mikhail Klyuchnikov told The Daily Swig that they notified the vendor on April 1.

“Since the discovery of the vulnerability, we have worked closely with F5,” he said. “They fixed the vulnerability as quickly as possible. I think we have worked fruitfully to make many companies safer.”


This article was updated on July 6 with comments from security researcher Mikhail Klyuchnikov.


RELATED Red alert: Palo Alto firewall authentication bypass flaw ripe for exploitation