Critical F5 BIG-IP Bug Under Active Attacks After PoC Exploit Posted Online

Cyber Security

Almost 10 days after application security company F5 Networks released patches for critical vulnerabilities in its BIG-IP and BIG-IQ products, adversaries have begun opportunistically mass scanning and targeting exposed and unpatched networking devices to break into enterprise networks.

News of in the wild exploitation development comes on the heels of a proof-of-concept exploit code that surfaced online earlier this week by reverse-engineering the Java software patch in BIG-IP. The mass scans are said to have spiked since March 18.

The flaws affect BIG-IP versions 11.6 or 12.x and newer, with a critical remote code execution (CVE-2021-22986) also impacting BIG-IQ versions 6.x and 7.x. CVE-2021-22986 (CVSS score: 9.8) is notable for the fact that it’s an unauthenticated, remote command execution vulnerability affecting the iControl REST interface, allowing an attacker to execute arbitrary system commands, create or delete files, and disable services without the need for any authentication.

Successful exploitation of these vulnerabilities could lead to a full compromise of vulnerable systems, including the possibility of remote code execution as well as trigger a buffer overflow, leading to a denial of service (DoS) attack.

While F5 said it not aware of any public exploitation of these issues on March 10, researchers from NCC Group said they have now found evidence of “full chain exploitation of F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986” in the wake of multiple exploitation attempts against its honeypot infrastructure.

Additionally, Palo Alto Networks’ Unit 42 threat intelligence team said it found attempts to exploit CVE-2021-22986 to install a variant of the Mirai botnet. But it’s not immediately clear if those attacks were successful.

Given the popularity of BIG-IP/BIG-IQ in corporate and government networks, it should come as no surprise that this is the second time in a year F5 appliances have become a lucrative target for exploitation.

Last July, the company addressed a similar critical flaw (CVE-2020-5902), following which it was abused by Iranian and Chinese state-sponsored hacking groups, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert cautioning of a “broad scanning activity for the presence of this vulnerability across federal departments and agencies.”

“The bottom line is that [the flaws] affect all BIG-IP and BIG-IQ customers and instances — we urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible,” F5 Senior Vice President Kara Sprague noted last week.