F5 announced March 10 seven vulnerabilities tied to it's BIG-IP and BIG-IQ network devices, the company's second significant security disclosure in less than year.
The latest disclosure includes remote command execution vulnerabilities in the iControl REST interface and Traffic Management User Interface and two buffer overflow vulnerabilities. Six of the seven vulnerabilities listed receive a severity score of 8.0 or higher from the Common Vulnerability Scoring System, and four are scored between 9.0 and 9.9.
Patches are available for all seven flaws for BIG-IP versions 16.01.1, 18.104.22.168, 14.1.4, 22.214.171.124, 126.96.36.199, and 188.8.131.52. The iControl REST vulnerability also impacts BIG-IQ, and patches are available for versions 8.0.0, 184.108.40.206 and 220.127.116.11.
In a blog titled: “F5’s Commitment to Product Security,” Kara Sprague, senior vice president and general manager of F5’s Big-IP products, made it clear the impact was widespread.
“The bottom line is that they affect all BIG-IP and BIG-IQ customers and instances – we urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible,” wrote Sprague.
In an update posted today for the company’s how-to-guide for automating BIG-IP devices, F5 security architect Jason Rahm notes that while “some of the vulnerabilities aren’t trivial to exploit, not all of them have a practical mitigation.”
The disclosure comes less than a year after another remote code execution vulnerability in F5’s BIG-IP devices discovered by Positive Technology researcher Mikhail Klyuchnikov received a 10 out 10 for severity and resulted in sharp warnings from two federal agencies – U.S. Cyber Command and the Cybersecurity and Infrastructure Security Agency – that widespread scanning and exploitation was already ongoing and that patching “should not be postponed over the weekend.”
F5 BIG-IP networking devices are popular across industries, with the Center for Internet Security’s Curtis Dukes saying that they are used by most large organizations, including many major cloud service providers.
“Pretty much every industry sector uses the device and is likely susceptible – if they are internet-facing – to an [RCE] attack,” Dukes said last year regarding F5’s BIG-IP product.
The RCE vulnerabilities found last year, the sheer number of severe and critical vulnerabilities listed in the new disclosure and their wide impact across both F5’s networking and centralized management solution products led some information security experts to question whether there are larger, more fundamental security culture failures happening at the company.
“If you want an analogy, this is a car with no seatbelts or brake pedals leaking gasoline fumes into the compartment, and now it's also blinking the change oil light,” tweeted Corellium chief operating officer Matthew Tait, who argued that F5 failed to enable basic security protections that could have made some of the vulnerabilities unexploitable or trivial to detect. “So, yeah, by all means, change the oil. But that's not going to stop this thing being a death trap.”
Sprague, for her part, appeared to try to preempt some of those questions in her blog by noting the company’s “comprehensive” security practices, including “secure training and frameworks, testing, internal and external auditing, and vulnerability management and disclosure” across the company.
“The trust you place in F5 to handle the security and delivery of your most important assets — your applications — is not something we take lightly,” Sprague claimed. “We understand vulnerability remediation can be disruptive to your business. We’re committed to helping you efficiently update your BIG-IP and BIG-IQ systems to the latest, most secure, and best-performing versions—so that you can continue doing what you do best: serving your own customers.”
Additional technical details around the vulnerabilities as well as guidance for patching and remediation can be found here.