Full Report
Internet security nonprofit Shadowserver Foundation has found more than 266,000 F5 BIG-IP instances exposed online after the security breach disclosed by cybersecurity company F5 this week. [...]
Analysis Summary
# Vulnerability: Undisclosed F5 BIG-IP Vulnerabilities leading to Source Code Theft
## CVE Details
- CVE ID: Not explicitly provided, but mentioned as 44 undisclosed vulnerabilities addressed.
- CVSS Score: Not explicitly provided.
- CWE: Not explicitly provided.
## Affected Systems
- Products: F5 BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, APM clients.
- Versions: All versions for which security updates were issued following the breach. Specific vulnerable versions are not detailed in this context.
- Configurations: Internet-exposed F5 devices are at high risk. CISA specifically calls out F5OS, BIG-IP TMOS, BIG-IQ, and BNK/CNF products.
## Vulnerability Description
F5's network was breached by nation-state hackers (linked to China/UNC5291) who stole source code and information regarding undisclosed security flaws impacting several F5 product lines. F5 promptly released patches for 44 vulnerabilities as a result of this incident. While F5 states they have no knowledge of critical or RCE vulnerabilities being exploited, the theft of source code suggests potential high-impact flaws may exist.
## Exploitation
- Status: F5 has "no knowledge of undisclosed critical or remote code execution vulnerabilities" being exploited, but the underlying flaws were discovered because of a breach of the source code.
- Complexity: Unknown, but typical flaws in these devices often allow for significant impact.
- Attack Vector: Likely Network, given the context of these devices being internet-facing components.
## Impact
- Confidentiality: High potential (Source code stolen; previous attacks involved stealing sensitive files and credentials).
- Integrity: High potential (Previous attacks included deploying data-wiping malware and device takeover).
- Availability: Medium potential (Lateral movement and device hijacking can lead to service disruption).
## Remediation
### Patches
- F5 issued patches addressing 44 vulnerabilities concurrently with this advisory. Customers are urged to update their software immediately.
- Specific patch versions are not listed in the summary but are available via F5 advisories.
### Workarounds
- CISA mandated U.S. Federal agencies to immediately inventory F5 products and evaluate if management interfaces are accessible from the public internet.
- **Actionable Mitigation:** Disconnect and decommission all Internet-exposed F5 devices that have reached End-of-Support (as they will not receive further patches).
## Detection
- **Indicators of Compromise:** The threat actor known as UNC5291 was linked to deploying **Brickstorm malware** (a Go-based backdoor) against F5 systems.
- **Detection methods and tools:** Implement the threat-hunting guides shared by F5 with their customers. Monitor network traffic for signs of lateral movement or unauthorized API key usage typical of intrusions involving compromised BIG-IP appliances.
## References
- Vendor Advisory (Patch Information): hxxps://my.f5.com/manage/s/article/K000156572
- CISA Emergency Directive: hxxps://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices