F5 Networks and Cisco this week issued warnings about serious, and in some cases critical, security vulnerabilities in their products.
F5 officials said Thursday its most serious issue, a critical flaw in its iControl REST framework with a severity score of 9.8 out of 10, could be exploited to bypass the authentication software, used by its BIG-IP portfolio, and hijack equipment. Specifically, the vulnerability, tracked as CVE-2022-1388, can be abused by miscreants to, among other things, run malicious commands on BIG-IP devices via their management ports unimpeded.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” as F5 put it in its advisory. “There is no data plane exposure; this is a control plane issue only.”
Judging from a search on Shodan.io, there were almost 16,000 BIG-IP products exposed to the public internet that were seemingly vulnerable to the flaw, which the vendor discovered internally. F5 released fixes for five versions of BIG-IP – v18.104.22.168, v22.214.171.124, v126.96.36.199 and v13.1.5 – to address the security weakness. Version 17 is not known to be vulnerable. The company encouraged users that are running at-risk versions to upgrade as soon as possible.
Until then, F5 outlined several temporary mitigations, including blocking access to the iControl REST interface via self IP addresses, restricting management access only to trusted users and devices over a secure network, or modifying the BIG-IP httpd configuration.
F5’s BIG-IP portfolio includes hardware and software designed to ensure application performance, security, and availability through such tools as access policy and advanced firewall managers, web application firewalls, an SSL orchestrator, and local traffic manager. iControl REST enables rapid interaction between the F5 device and the user or a suitable script.
And Cisco’s got issues, too
F5’s alert came a day after Cisco officials warned about several severity 9.9 security flaws in its Enterprise NFV Infrastructure Software (NFVIS) that could, among things, allow authenticated, remote attackers to escape from a guest virtual machine (VM) and into the host system. The bad actors could then run commands with root privileges or leak system data from the host. Typically in an NFV environment, the guest VMs are created, configured, and controlled by the network operator; in other words, this sort of security hole would be exploited by a rogue insider or someone who has already managed to compromise one of the host’s virtual machines.
“The vulnerabilities are not dependent on one another,” Cisco’s Product Security Incident Response Team (PSIRT) added in its advisory. “Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.”
For its part, Cisco detailed three vulnerabilities – tracked as CVE-2022-20777, CVE-2022-20779, and CVE-2022-20780, found by a team calling itself the Orange Group – in its Enterprise NFVIS, which enables virtual network functions to be managed independently. Organizations can use the software to choose how to deploy Cisco’s Enterprise NFV offering and on what platform.
A flaw in the Next Generation Input/Output (NGIO) feature can be abused by an attacker to escape from a guest VM and gain root-level access to the host by making an API call. Another vulnerability in the image registration process would allow a miscreant to inject commands that also execute at the root level by persuading an administrator on the host machine to install a VM image with crafted metadata.
The third flaw is in the import function.
“An attacker could exploit this vulnerability by persuading an administrator to import a crafted file that will read data from the host and write it to any configured VM,” Cisco PSIRT wrote. “A successful exploit could allow the attacker to access system information from the host, such as files containing user data, on any configured VM.”
Both companies have released fixes for the vulnerabilities. For NFVIS, net admins should upgrade to version 4.7.1 or higher. Cisco said it was not aware of any active exploitation of the flaws.
The US Cybersecurity and Infrastructure Agency (CISA) in a statement urged F5 customers to apply the aforementioned updates or use the workarounds to protect against attackers.
Less haste, more speed for fixes
It’s imperative that organizations patch the vulnerabilities, though the work can’t stop there, according to Greg Fitzgerald, co-founder of asset management platform vendor Sevco Security.
“The most significant risk for enterprises isn’t the speed at which they are applying critical patches; it comes from not applying the patches on every asset,” Fitzgerald told The Register. “The simple fact is that most organizations fail to maintain an up-to-date and accurate IT asset inventory, and the most fastidious approach to patch management cannot ensure that all enterprise assets are accounted for.”
Companies can’t patch something that they don’t know is there and “attackers have figured out that the easiest path to accessing your network and your data is often through unknown or abandoned IT assets,” he said.
As IT becomes increasingly distributed across the data center, clouds and edge and remote workforces are more common, and the demand for network security is growing. Analysts with Fortune Business Insights are predicting the global networking security market will jump from $22.6 billion this year to $53.11 billion by 2029. ®