Firms Urged to Patch as Attackers Exploit Critical F5 Bugs

Security experts are urging F5 customers to patch a critical vulnerability in the vendor’s BIG-IP and BIG-IQ networking products after warning of mass exploitation attempts in the wild.

CVE-2021-22986 is a flaw in the products’ REST-based iControl management interface which could allow for authentication bypass and remote code execution.

With a CVSS rating of 9.8, it was patched on March 10 along with several other bugs that could be chained in attacks. These are: CVE-2021-22987, CVE-2021-22988, CVE-2021-22989 and CVE-2021-22990.

Although no public exploit was known about at the time of patching, a week later researchers began to post PoC code online after reverse engineering an F5 patch.

NCC Group warned on Friday that as the REST API in question is designed to facilitate remote administration, an attacker could choose from multiple endpoints in an organization which ones to target.

“Starting this week and especially in the last 24 hours (March 18th, 2021) we have observed multiple exploitation attempts against our honeypot infrastructure. This knowledge, combined with having reproduced the full exploit-chain we assess that a public exploit is likely to be available in the public domain soon,” it said.

“NCC Group believes it is in the best interests of all to release our internal notes and detection logic to prevent further harm once public exploits become available.”

Networking firm F5 serves some of the world’s biggest organizations, including tech and financial services giants, so both state actors and financially motivated cyber-criminals will be keen to probe for unpatched endpoints.

The US Cybersecurity and Infrastructure Security Agency (CISA) has already sounded the alarm, urging customers to patch the issue promptly.

However, as we’ve seen with the recent Exchange Server attacks, many organizations are finding it challenging to fix or mitigate issues quickly, even if official updates are available.

Vdoo CTO, Asaf Karas, argued that the threat landscape for connected products has become complicated and multi-dimensional.

“Networking devices such as load balancers and access gateways are desirable targets for threat actors, as they’re used to control the traffic in and out of large corporate networks, government agencies, data centers and across ISP infrastructure,” he added.

“Once inside the network, attackers can move laterally to take control of critical resources and data.”

Leave a Reply