Thousands of Vulnerable F5 BIG-IP Users Still Open to Takeover

Less than 500 machines have been patched since U.S. Cyber Command issued an alert to patch a critical bug that’s under active exploit.

About 8,000 users of F5 Networks’ BIG-IP family of networking devices are still vulnerable to full system access and remote code-execution (RCE), despite a patch for a critical flaw being available for two weeks.

The BIG-IP family consists of application delivery controllers, Local Traffic Managers (LTMs) and domain name system (DNS) managers, together offering built-in security, traffic management and performance application services for private data centers or in the cloud.

At the end of June, F5 issued urgent patches for a critical RCE flaw (CVE-2020-5902), which is present in the Traffic Management User Interface (TMUI) of the company’s BIG-IP app delivery controllers. The bug has a CVSS severity score of 10 out of 10, and at the time of disclosure, Shodan showed that there were almost 8,500 vulnerable devices exposed on the internet.

Shortly after disclosure, public exploits were made available for it, leading to mass scanning for vulnerable devices by attackers, and ultimately active exploits.

“CVE-2020-5902 received the highest vulnerability rating of critical from the National Vulnerability Database due to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,” Expanse researchers noted in an advisory issued on Friday. “It was deemed so critical that U.S. Cyber Command issued a tweet on the afternoon of July 3, recommending immediate patching despite the holiday weekend. While F5 did not release a proof of concept (PoC) for the exploit, numerous PoCs began appearing on July 5.”

Fast-forward to two weeks later, and patches have rolled out to less than 500 of that original group of vulnerable machines, according to the analysis. Expanse researchers said that as of July 15, there were at least 8,041 vulnerable TMUI instances still exposed to the public internet.

The stakes are high, as one would expect from a critical-rated bug: “The vulnerability CVE-2020-5902 allows for the execution of arbitrary system commands on vulnerable BIG-IP devices with an exposed and accessible management port via the TMUI,” explained the researchers. “This vulnerability could provide complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serve as a hop point into other areas of the network.”

To boot, an additional bug, CVE-2020-5903, affects the same vulnerable management interface via a cross-site scripting vulnerability (XSS) that Expanse said could also be leveraged to include RCE.

#cloud security #security vulnerability #cloud

What is GEEK

Buddha Community

Thousands of Vulnerable F5 BIG-IP Users Still Open to Takeover

Thousands of Vulnerable F5 BIG-IP Users Still Open to Takeover

Less than 500 machines have been patched since U.S. Cyber Command issued an alert to patch a critical bug that’s under active exploit.

About 8,000 users of F5 Networks’ BIG-IP family of networking devices are still vulnerable to full system access and remote code-execution (RCE), despite a patch for a critical flaw being available for two weeks.

The BIG-IP family consists of application delivery controllers, Local Traffic Managers (LTMs) and domain name system (DNS) managers, together offering built-in security, traffic management and performance application services for private data centers or in the cloud.

At the end of June, F5 issued urgent patches for a critical RCE flaw (CVE-2020-5902), which is present in the Traffic Management User Interface (TMUI) of the company’s BIG-IP app delivery controllers. The bug has a CVSS severity score of 10 out of 10, and at the time of disclosure, Shodan showed that there were almost 8,500 vulnerable devices exposed on the internet.

Shortly after disclosure, public exploits were made available for it, leading to mass scanning for vulnerable devices by attackers, and ultimately active exploits.

“CVE-2020-5902 received the highest vulnerability rating of critical from the National Vulnerability Database due to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,” Expanse researchers noted in an advisory issued on Friday. “It was deemed so critical that U.S. Cyber Command issued a tweet on the afternoon of July 3, recommending immediate patching despite the holiday weekend. While F5 did not release a proof of concept (PoC) for the exploit, numerous PoCs began appearing on July 5.”

Fast-forward to two weeks later, and patches have rolled out to less than 500 of that original group of vulnerable machines, according to the analysis. Expanse researchers said that as of July 15, there were at least 8,041 vulnerable TMUI instances still exposed to the public internet.

The stakes are high, as one would expect from a critical-rated bug: “The vulnerability CVE-2020-5902 allows for the execution of arbitrary system commands on vulnerable BIG-IP devices with an exposed and accessible management port via the TMUI,” explained the researchers. “This vulnerability could provide complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serve as a hop point into other areas of the network.”

To boot, an additional bug, CVE-2020-5903, affects the same vulnerable management interface via a cross-site scripting vulnerability (XSS) that Expanse said could also be leveraged to include RCE.

#cloud security #security vulnerability #cloud

 iOS App Dev

iOS App Dev

1623210120

NOW HIRING! TOP BIG DATA JOB OPENINGS IN RENOWNED GLOBAL ORGANIZATIONS

Big data and data analytics jobs around the world.

Big Data is a big thing in today’s world with tremendous growth opportunities for professionals. As companies around the world are aggressively hiring data professionals to extract insights for their businesses, data analysis has become a striking career choice. Organizations across industries want to take advantage of big data to stay ahead of the competition.

A big data scientist or a data analyst, if you’re a data professional looking for a big, new project, check out these full-time, big data job openings in renowned companies across the globe. To help you crack the interview stage, check out these popular big data interview questions and answers.

1. Senior Insights Analyst
2. Data Analyst, Globalization
3. Data Analyst
4. Senior Data Analyst and Modeler

#big data #big data job openings #hiring big data #companies #op big data job openings #renowned global organizations

Silly mistakes that can cost ‘Big’ in Big Data Analytics

Big Data has played a major role in defining the expansion of businesses of all kinds as it helps the companies to understand their audience and devise their business techniques in accordance with the requirement.

The importance of ‘Data’ has been spoken very highly in the modern-day business. Thus, while using big data analysis, the companies must keep away from these minor mistakes otherwise it could have a major impact on their performances. Big Data analysis can be the silver bullet that can answer your questions and help your business to scale newer heights.

Read More: Silly mistakes that can cost ‘Big’ in Big Data Analytics

#top big data analytics companies #best big data service providers #big data for business #big data technology #big data mistakes #big data analytics

Big Data can be The ‘Big’ boon for The Modern Age Businesses

The rapid growth of technology has led to many people opting for online services, and thus the collection and maintenance of data becomes a significant factor for any company. Big data analytics service providers can help the companies get a massive edge over their competitors as they would manage the data well and allow the businesses to make better business decisions. It will provide you with a combination of increased customer experience, revenue, and reduced cost and thus will create a win-win situation for your business. Big data technologies will be your perfect ally in excelling in the cut-throat business environment and come out with flying colors.

Read More: Big Data can be The ‘Big’ boon for The Modern Age Businesses

#big data analytics service providers #top big data analytics companies #impact of big data on businesses #best big data consulting firms #big data #big data for businesses

Big Data Consulting Services | Big Data Development Experts USA

Big Data Consulting Services

Traditional data processing application has limitations of its own in terms of processing the large chunk of complex data and this is where the big data processing application comes into play. Big data processing app can easily process complex and large information with their advanced capabilities.

Want to develop a Big Data Processing Application?

WebClues Infotech with its years of experience and serving 350+ clients since our inception is the agency to trust for the Big Data Processing Application development services. With a team that is skilled in the latest technologies, there can be no one better for fulfilling your development requirements.

Want to know more about our Big Data Processing App development services?

Visit: https://www.webcluesinfotech.com/big-data-solutions/

Share your requirements https://www.webcluesinfotech.com/contact-us/

View Portfolio https://www.webcluesinfotech.com/portfolio/

#big data consulting services #big data development experts usa #big data analytics services #big data services #best big data analytics solution provider #big data services and consulting