Load balancer flaw could lead to major breaches at large organizations
A security flaw in the F5 Networks’ BIG-IP load balancer, which is popular among governments, banks, and other large corporations, could be exploited to allow network access.
F-Secure senior security consultant Christoffer Jerkeby has discovered the issue in the Tcl programming language that BIG-IP's iRules (the feature that BIG-IP uses to direct incoming web traffic) are written in. Certain coding practices allow attackers to inject arbitrary Tcl commands, which could be executed in the security context of the target Tcl script.
"This configuration issue is really quite severe because it's stealthy enough for an attacker to get in, achieve a wide variety of objectives, and then cover their tracks. Plus, many organizations aren’t prepared to find or fix issues that are buried deep in software supply chains, which adds up to a potentially big security problem," explains Jerkeby. "Unless you know what to look for, it’s tough to foresee this problem occurring, and even harder to deal with in an actual attack."
Jerkeby discovered over 300,000 active BIG-IP implementations on the internet during the course of his research, but suspects the real number could be much higher. Approximately 60 percent of the BIG-IP instances he found are in the United States.
The coding flaw and class of vulnerability is not new and has been known, along with other command injection vulnerabilities in other popular languages, for some time. While not everyone using BIG-IP will be affected, the load balancer's popularity amongst banks, governments, and other entities that provide online services to large numbers of people, combined with the relative obscurity of the underlying security issues with Tcl, means any organization using BIG-IP needs to investigate and assess its exposure.
"Unless an organization has done an in-depth investigation of this technology, there's a strong chance they've got this problem," says Jerkeby. "Even someone incredibly knowledgeable about security that works at a well-resourced company can make this mistake. So, spreading awareness about the issue is really important if we want to help organizations better protect themselves from a potential breach scenario."
F5 issued its own statement as follows:
This is not a vulnerability in Tcl, nor F5 products, but rather an issue relating to coding practices used in creating the scripts. As with most programming or scripting languages, it is possible to write code in a way that creates vulnerabilities. We have been working with the researcher on documentation and notification to ensure customers can evaluate their exposure and take necessary steps to mitigate. The best practice for Tcl scripting is to escape all expressions, ensuring they are not substituted or evaluated unexpectedly. Customers are advised to evaluate Tcl scripts and make all changes they deem appropriate under this guidance. More information is available in the security advisory.