The F5 vulnerability, first discovered and disclosed to F5 by cybersecurity firm Positive Technologies, affects a series of so-called BIG-IP devices that act as load balancers within large enterprise networks, distributing traffic to different servers that host applications or websites. Positive Technologies found a so-called directory traversal bug in the web-based management interface for those BIG-IP devices, allowing anyone who can connect to them to access information they’re not intended to. That vulnerability was exacerbated by another bug that allows an attacker to run a “shell” on the devices that essentially lets a hacker run any code on them that they choose. The result is that anyone who can find an internet-exposed, unpatched BIG-IP device can intercept and mess with any of the traffic it touches. Hackers could, for instance, intercept and redirect transactions made through a bank’s website, or steal users’ credentials. They could also use the hacked device as a hop point to try to compromise other devices on the network. Since BIG-IP devices have the ability to decrypt traffic bound for web servers, an attacker could even use the bug to steal the encryption keys that guarantee the security of an organization’s HTTPS traffic with users, warns Kevin Gennuso, a cybersecurity practitioner for a major American retailer.
While only a small minority of F5 BIG-IP devices are directly exploitable, Positive Technologies says that still includes 8,000 devices worldwide. “About 40 percent of those are in the U.S., along with 16 percent in China and single-digit percentages in other countries around the globe,” reports Wired.
“Owners of those devices have had since June 30, when F5 first revealed the bug along with its patch, to update,” adds Wired. “But many may not have immediately realized the seriousness of the vulnerability. Others may have been hesitant to take their load balancing equipment offline to implement an untested patch, points out Gennuso, for fear that critical services might go down, which would further delay a fix.”