Organisations using solutions from vendor F5 Networks are being urged to patch their software or run the risk of a cyber hack.
F5 Networks has pushed out patches to tackle four critical vulnerabilities in BIG-IP, one of which can be exploited for unauthenticated remote code execution (RCE) attacks.
SBRC’s Cyber Incident Response Manager, Mark Cunningham-Dickie commented:
These devices are typically found in large/complex organisations, large educational establishments and the public sector. The vulnerability allows for pre-authentication Remote Code Execution (RCE). Basically, you can run your own code without having to login. The vulnerabilities have not been spotted being actively exploited and were discovered by Google’s Zero Day Project. In total there are four vulnerabilities ranging in CVSS severity between 9.0 and 9.9 out of 10.
The RCE vulnerabilities are control-plane only meaning that if you DO NOT present your management interfaces to the internet (for a managed service to administer on your behalf) then you are at reduced risk of compromise. However, there are vulnerabilities on the data plane which could cause Denial of Service (DoS) irrespective of where your management interface presents.
More information for technical teams can be found here: https://bugs.chromium.org/p/project-zero/issues/detail?id=2132