Skip to content
Threat Feed
critical advisory

Multiple Vulnerabilities in F5 BIG-IP and F5OS

Multiple vulnerabilities in F5 BIG-IP and F5OS allow an attacker to bypass security mechanisms, escalate privileges, cause a denial-of-service condition, perform a cross-site scripting attack, and disclose or manipulate information.

Multiple vulnerabilities exist within F5 BIG-IP and F5OS, potentially allowing an attacker to bypass security measures, elevate privileges, trigger denial-of-service (DoS) conditions, execute cross-site scripting (XSS) attacks, and expose or manipulate sensitive information. The specific versions affected are not detailed in this advisory, but defenders should assume all versions are vulnerable until patched. Due to the broad range of potential impacts, these vulnerabilities pose a significant risk to organizations relying on F5 products for network infrastructure and security. Successful exploitation could lead to complete compromise of affected systems and networks.

Attack Chain

  1. Attacker identifies a vulnerable F5 BIG-IP or F5OS system exposed to the network.
  2. The attacker exploits a vulnerability to bypass authentication mechanisms.
  3. The attacker leverages an exposed API endpoint to inject malicious code.
  4. The attacker escalates privileges to gain administrative access on the system.
  5. The attacker injects malicious JavaScript code to perform a Cross-Site Scripting (XSS) attack, targeting users of the BIG-IP management interface.
  6. The attacker exploits another vulnerability to trigger a denial-of-service condition, impacting the availability of critical services.
  7. The attacker accesses sensitive system files or configuration data, leading to information disclosure.
  8. The attacker modifies system configurations to further compromise the system or network.

Impact

Successful exploitation of these vulnerabilities could result in complete compromise of F5 BIG-IP and F5OS systems, leading to significant disruption of services and potential data breaches. The impact ranges from denial of service, rendering critical applications unavailable, to sensitive information disclosure, allowing attackers to gain further access to internal systems. Given the widespread use of F5 products, a successful attack could impact numerous organizations across various sectors.

Recommendation

  • Monitor web server logs for suspicious activity indicative of exploitation attempts targeting F5 BIG-IP and F5OS systems.
  • Deploy the Sigma rule “Detect Suspicious URI Access on F5 BIG-IP” to identify potential web-based attacks against F5 systems.
  • Implement strict access controls and network segmentation to limit the potential impact of a compromised F5 system.
  • Enable verbose logging on F5 BIG-IP and F5OS devices to capture detailed audit trails for incident investigation.

Detection coverage 2

Detect Suspicious URI Access on F5 BIG-IP

high

Detects suspicious URI patterns commonly associated with web application attacks targeting F5 BIG-IP systems.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detect Privilege Escalation via F5 Configuration Utility

critical

Detects attempts to modify sensitive configuration files within the F5 BIG-IP system which can lead to privilege escalation.

sigma tactics: privilege_escalation techniques: T1068 sources: file_event, linux

Detection queries are kept inside the platform. Get full rules →