F5 BIG-IP

F5 BIG-IP is a family of products, a platform that includes specially created hardware, software modules, virtualization solutions running the TMOS operating system.

Depending on the device, one or more BIG-IP product modules can be added to a BIG-IP family device to provide multiple network functions within a single, unified platform.

The platform includes hardware modules:

• Local Traffic Manager (LTM): local load balancing equipment;
• Global Traffic Manager (GTM) - Global Balancing Server using DNS
• Link Controller: Provider Inbound and Outbound Load Balancer Internet
• Application Security Manager (ASM) - Network Application Firewall;
• WebAccelerator: symmetric or asymmetric caching solution for HTTP and HTTPS traffic;
• Edge Gateway: edge SSL router of VPN networks;
• WAN Optimization Module: symmetric data center WAN optimization solution;
• Access Policy Manager (APM) provides authentication and access control for HTTP and HTTPS applications;
• Secure Web Gateway (SWG): a product for filtering links, blocking malicious sites, secure browsing of pages by corporate users
• Advanced Firewall Manager (AFM): solution for protection against DDoS attacks, firewall for data centers;
• IP Intelligence (IPI): a means of blocking IP addresses by blacklist, opposing phishing attacks and botnets
• WebSafe - Protect against fraudulent threats using encryption, malware detection, and user behavior analysis.

2022: Fix a vulnerability that allows an unidentified attacker to execute arbitrary system commands

F5 warned of the critical vulnerability of BIG-IP.

The vulnerability is due to the lack of authentication verification, which potentially allows an attacker to gain control over vulnerable systems. This became known on May 5, 2022.

The company has issued fixes for 43 bugs in its products. Of the 43 vulnerabilities, one has a critical hazard rating, 17 have a high, 24 have an average and another has a low hazard rating.

Chief among the vulnerabilities is CVE-2022-1388 with a CVSS score of 9.8 out of 10.

The vulnerability could allow an unidentified attacker to execute arbitrary system commands, create or delete files, and also disable services if there is network access to the BIG-IP system through the management port and/or their own IP addresses, the company said. - Vulnerability does not affect data, only control over the system.

According to F5, the vulnerability was discovered internally and affects BIG-IP products of the following versions:

• 16.1.0 - 16.1.2
• 15.1.0 - 15.1.5
• 14.1.0 - 14.1.4
• 13.1.0 - 13.1.4
• 12.1.0 - 12.1.6
• 11.6.1 - 11.6.5

Bypass of iControl REST authentication has been fixed in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 and 13.1.5. Other F5 products - BIG-IQ Centralized Management, F5OS-A, F5OS-C and Traffix SDC, are not vulnerable to CVE-2022-1388.

Prior to the patches, F5 offered users temporary security measures:

• Block access to REST iControl via self IP address.
• Block access to REST iControl through the management interface.
• Change httpd BIG-IP configuration.
• A self IP address is an IP address in a BIG-IP system that a user associates with a VLAN to access hosts in that VLAN.

Other errors addressed in the update may allow the authenticated attacker to bypass the Appliance mode restrictions and execute arbitrary JavaScript code in the context of the current registered user.

Since F5 devices are used in enterprise networks, organizations need to apply patches as soon as possible, protecting systems from initial hacker access.

Earlier it was reported about successful attacks on BIG-IP and BIG-IQ through a fixed vulnerability that allowed remote code execution and affected most versions of the F5 BIG-IP software and BIG-IQ^[1].

2020: Fix Vulnerability in BIG-IP Application Delivery Controller

Positive Technologies expert Mikhail Klyuchnikov identified a critical vulnerability in the configuration interface of the BIG-IP application delivery controller. Using this error, the attacker could be able to execute commands on behalf of an unauthorized user and completely compromise the system, for example, intercept the traffic of web resources controlled by the controller. The attack can be implemented remotely. This was announced on July 2, 2020 by Positive Technologies.

During the monitoring of current threats (threat intelligence), Positive Technologies experts found that at the end of June 2020 there were over 8 thousand vulnerable devices available from the Internet in the world, of which 40% were in the United States, 16% in China, 3% in Taiwan, 2.5% each in Canada and Indonesia. In Russia, less than 1% of vulnerable devices were found.

Vulnerability with ID CVE-2020-5902 received a score of 10 on the CVSS scale. To operate the vulnerability, the attacker must send a specially formed HTTP request to the server where Traffic Management User Interface (TMUI) is located, also known as the "BIG-IP system configuration utility."

"This vulnerability allows a remote attacker, including one who is not authenticated but who has access to the BIG-IP configuration utility, to execute arbitrary code in software (RCE). As a result, the attacker can create or delete files, disable services, intercept information, execute arbitrary system commands and arbitrary Java code, completely compromise the system and develop an attack, for example, on an internal network segment. RCE is caused by a combination of security flaws of several system components (for example, leaving the directory). Companies that have the F5 BIG-IP web interface can be found in special search engines such as Shodan are particularly dangerous, but it should be noted that the necessary interface is not available from the global network from all user companies, " noted Mikhail Klyuchnikov, Positive Technologies expert

Positive Technologies noted that in order to eliminate the vulnerability, it is necessary to upgrade the system to the latest version: vulnerable versions of BIG-IP (11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x) should be replaced by versions in which the vulnerability is fixed (BIG-IP 11.6.5.2, 12.1.5.2, 13.1.3.4,.01.1.2.6,.). For users of public cloud marketplaces (AWS, Azure, GCP and Alibaba), you must use versions BIG-IP Virtual Edition (VE) 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6 or 15.1.0.4), provided they are available in these markets. The other recommendations are given in the F5 BIG-IP notification.

In addition, F5 eliminated the second vulnerability in the BIG-IP configuration interface discovered by Mikhail Klyuchnikov. The vulnerability of CVE-2020-5903 with a rating of 7.5 belongs to the XSS class. An attacker can use this error to execute malicious JavaScript code on behalf of a logged on user. In the case of a user with administrator privileges who has access to Advanced Shell (bash), the operation of this vulnerability can lead to a complete compromise of the BIG-IP system by remote code execution. Details and remediation recommendations are provided in the F5 notice.

Also, to block attacks that exploit vulnerabilities such as CVE-2020-5902 and CVE-2020-5903, companies can use application-tier firewalls.

2016: BIG-IP 12.1

On July 12, 2016, F5 Networks announced the release of BIG-IP 12.1. Software provides programming capabilities in traditional, cloud, and hybrid environments.

F5's LX iRules technology allows you to manage and selectively deploy the functionality of services through Node.js, and supports access to more than 250 thousand software packages of the Node.js community. This functionality is required when delivering advanced functionality for web applications that require optimized bandwidth, high scalability, and traffic flow management services. The embedded extension for the Eclipse Integrated Development Environment (IDE), which is supported by other developers of enterprise-level technology (CA, Google, IBM, Oracle, Red Hat, and SAP), enables the rapid delivery of reusable code, which extends functionality.

In software products version 12.1 implemented a number of improvements in the field of information security:

• BIG-IP 12.1 enhances the protection of industry-leading web applications with BIG-IP Application Security Manager (ASM), which includes unique and adaptable bot detection techniques with detailed analysis and advanced device ID tracking.
• BIG-IP ASM accelerates the blacklisting of malicious IP hardware for tier 7 threats, providing robust protection before updated versions of the lists are available.
• F5 software solutions provide control over HTML5 WebSocket connections for comprehensive policy protection when other firewalls for web applications fail.
• BIG-IP Advanced Firewall Manager has advanced functionality that automatically restricts the flow of Layer 3-7 attacks and monitors user-initiated actions on the SSH channel by deploying customized policies.

2015: BIG-IP 12.0 released

On September 1, 2015, F5 Networks announced the release of 12 major versions of the software, which extends the hybrid platform of F5 services and significantly improves the dynamics, security and speed of cloud applications.

ON BIG-IP version 12.0 takes advantage of F5 Application Delivery Services switching by extending the F5 Synthesis model by combining physical and virtual resources to effectively support cloud and hybrid use cases. This approach allows customers to migrate workloads to the cloud as needed and implement new technologies, including HTTP/2, while retaining the benefits of enhanced control and security for traditional infrastructures.

F5 supports customers deploying cloud and hybrid IT architectures with BIG-IP Virtual Edition solutions that have become available in. Azure Marketplace All BIG-IP software modules will be available on Azure under the Good, Better, Best company licensing model F5 in the form of a BYOL (Bring Your Own License) configuration with options of 25 M, 200 M.

F5 and Microsoft customers will have additional capabilities to optimize application and cloud delivery technologies within a single unified platform. In addition, F5 offers speed differentiation in Azure, including VPN and routing support (IPsec tunnel) in Microsoft cloud environments.

The company's application protection system BIG-IP version 12.0 F5 included many changes. Main features:

• Access to all types of IT environments with SSO - F5 Extends secure features, authentications authorizations, and accounting for cloud, web, and virtual applications with centralized feature management.
• protection against a wide range of attacks. With DDoS BIG-IP 12.0, the company F5 offers the most complete and efficient solutions for protecting against DDoS attacks in local and cloud environments. F5 helps companies improve their security and agility with simplified attack detection.
• Improved SSL features for end-to-end protection. Companies are increasingly using SSL technology, encrypting almost all data. BIG-IP offers innovative, integrated SSL encryption for managing security certificates and keys for physical, virtual, and cloud solutions.