Unlike previous notable F5 exploits, not all of these can be easily hand-waved away by restricting external access to the administrative interfaces known as the control plane, says Justin Rhinehart, senior analyst at Bishop Fox. Two critical exploits disclosed this week affect the so-called data plane, which is the part responsible for handing any and all traffic going through the BIG-IP platform, he says. The only way to mitigate these exploits is by patching.
In a worst-case scenario, Rhinehart says, an attacker can use a vulnerable F5 BIG-IP appliance to break into the broader enterprise network. Remote command execution in a location with such privileged access is absolutely the stuff of nightmares, he says, Attackers can use these devices to gain a foothold on a victim s network [and] attack sensitive targets that are not usually accessible from the outside world.
The F5 flaws could affect the networking infrastructure for some of the largest tech and Fortune 500 companies – including Microsoft, Oracle and Facebook.
Remote code execution, denial of service, API abuse possible. Meanwhile, FBI pegs China for Exchange hacks Share
Copy
Security and automation vendor F5 has warned of seven patch-ASAP-grade vulnerabilities in its Big-IP network security and traffic-grooming products, plus another 14 vulns worth fixing.
An advisory dated today lists seven CVEs, four rated critical.
Most of the bugs concern TMUI – the Traffic Management User Interface that users work with to drive F5 products – and they can be exploited to achieve remote code execution, denial of service attacks, or complete device takeovers; sometimes all three. The iControl REST API that F5 offers to automate its products is also problematic.
F5 s security standards questioned with new wave of vulnerabilities scmagazine.com - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from scmagazine.com Daily Mail and Mail on Sunday newspapers.