In BIG-IP load balancer detected vulnerabilities

by Brendan Smith
August 10, 2019

Researcher Christoffer Jerkeby from F-Secure discovered a vulnerability in the BIG-IP load balancer code from F5 Networks.

Exploitation of the vulnerability allows an attacker to penetrate the network and carry out various attacks against companies or individuals using web services on a compromised device with the help of this solution.

Reference: BIG-IPis commonly used as a load balancer by businesses and governments that provide online services to large numbers of people. Load balancers help organizations manage sessions, store cookies, route web traffic, backend servers etc.

A security problem is present in the Tcl programming language that was used for writing iRules BIG-IP solution. Some encoding methods allow attackers to enter arbitrary Tcl commands to execute them in the security context of the Tcl target script. Attackers can also intercept and manipulate web-traffic, revealing confidential information, including credentials for authentication and application data.

“The research team discovered over 300,000 active BIG-IP implementations on the internet during the course of researching this issue, but due to methodological limitations, suspects the real number could be much higher. And while not everyone using BIG-IPwill be vulnerable, the obscure nature of the underlying issue means most organizations need to investigate and verify whether or not they’re affected”, — reported Christoffer Jerkeby.

Researcher notes situations where a compromised device will not record the actions of the criminal, so after the attack there will be no evidence. In another version, an attacker can, after exploiting a vulnerability, delete logs containing traces of activity and seriously complicate investigation of incidents.

Read also: Encrypting malware attacks NAS Synology and Lenovo Iomega

However, this problem cannot be resolved by fixing or updating the software from the supplier, so organizations should check for vulnerabilities.

Recommendations:

It is recommended that organizations proactively investigate whether or not they’re affected.

Jerkeby helped in developing two free, open source utilities that organizations can use to identify insecure configurations in their BIG-IP solutions.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Cybersecurity analyst with 15+ years digging into malware and threats, from early days reverse-engineering trojans to leading incident responses for mid-sized firms.

At Gridinsoft, I handle peer-reviewed breakdowns of stuff like AsyncRAT ransomware—last year, my guides helped flag 200+ variants in real scans, cutting cleanup time by 40% for users. Outside, I write hands-on tutorials on howtofix.guide, like step-by-step takedowns of pop-up adware using Wireshark and custom scripts (one post on VT alternatives got 5k reads in a month).

Certified CISSP and CEH, I’ve run webinars for 300+ pros on AI-boosted stealers—always pushing for simple fixes that stick, because nobody has time for 50-page manuals. Tools of the trade: Splunk for hunting, Ansible for automation, and a healthy dose of coffee to outlast the night shifts.

View all posts

Leave a Reply

Sending