More than 8,000 devices are vulnerable to ‘trivial’ exploit code that ‘fits in a tweet’
Sysadmins’ had their weekends interrupted after a proof-of-concept exploit and reports of active exploitation of the vulnerability – whose disclosure The Daily Swig reported on Thursday – surfaced online on Saturday (July 4).
In a Twitter thread, Rich Warren, principal security consultant at NCC Group, revealed that the cybersecurity organization’s BIG-IP honeypots had been hit by exploits emanating from Italy.
‘Wave of attacks’
Warren followed up this morning with reports of “an uptick in RCE attempts” using a public Metasploit module that was published on Sunday, with a “large wave of attacks” apparently being directed from China.
NCC Group researchers have outlined their findings in a blog post.
Eric Vanderburg, vice president of cybersecurity at TCDI, tweeted that the proof-of-concept code “is so trivial, it fits in a tweet”.
A penetration tester today tweeted a screenshot of a Shodan search revealing that 8,400 vulnerable BIG-IP management interfaces were still exposed to the internet.
More than 3,300 of these installations are located in the US, where many offices remain closed today for a federal holiday following Independence Day celebrations.
Complete system compromise
Attackers who exploit the RCE flaw can “completely compromise the system, and pursue further targets, such as the internal network”, Mikhail Klyuchnikov, the security researcher at Positive Technologies who discovered the vulnerability, said in a post published Thursday (July 2).
On Sunday (July 5), a Jordan-based researcher outlined some of the files attackers could extract using the exploit code.
F5 patched the critical RCE vulnerability, along with an authenticated cross-site scripting (XSS) bug, in its BIG-IP application delivery controller (ADC) after being notified of the issues on April 1.
ADCs optimize the performance of web applications using techniques such as load balancing, caching, compression, and offloading SSL processing.
Updates and mitigations
Organizations are advised to urgently update their systems if they are running BIG-IP versions 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, or 15.1.x.
IoT search engine Shodan said yesterday that potentially affected organizations could configure Shodan Monitor to receive alerts if any of their assets are vulnerable.