Why it matters: Hackers are using an empty password exploit to gain root control over entire networks. Thousands of devices have already been hit. If you are an admin using F5's BIG-IP devices, get them updated as soon as possible.
Security researchers discovered a severe vulnerability in sensitive networking gear used by most of the top Fortune 50 companies. The flaw, CVE-2022-1388, has a severity rating of 9.8 out of 10. It warrants the high ranking because hackers are already exploiting the weakness, which allows them to execute root commands without even entering a password, giving them complete control of the network.
The vulnerability resides in F5's BIG-IP line of networking gear. Companies use this equipment for load balancing, firewalls, and data encryption. It is particularly concerning since BIG-IP is often used on network edges to manage traffic and can see the decrypted data from HTTPS-protected sites. Security firm Randori notes that researchers have recorded over 16,000 instances of the exploit using Shodan.
Apparently, the devices have an authentication code, YWRtaW46, that some thought was a hard-coded password. However, vulnerability analyst Will Dormann points out that YWRtaW46 is just the word "admin:" in Base64 format --a default authentication for many internet-capable devices.
Many security professionals were stunned at this gaping hole.
I'm not entirely unconvinced that this code wasn't planted by a developer performing corporate espionage for an incident response firm as some sort of revenue guarantee scheme.
— Jake Williams (@MalwareJake) May 9, 2022
If so, brilliant. If not, WTAF... https://t.co/4F237teFa2
Fortunately, F5 issued a fix on May 4 to plug the hole, but several companies are likely still scrambling to get all of their equipment updated. The firm says that the exploit involved a flawed implementation of the iControl REST --a set of web-based configuration and management interfaces for BIG-IP devices. It highly advised businesses to evaluate their equipment for this vulnerability and provided a chart of affected devices.
Randori posted a bash script that admins can run to check for vulnerabilities. It also has other mitigation suggestions to use while updating the network's hardware.
https://www.techspot.com/news/94556-hackers-exploiting-most-popular-networking-gear-fortune-50.html
