An obscure coding bug may allow attackers to exploit F5’s BIG-IP load balancer, leading to follow-up attacks such as data thefts and man-in-the-middle attacks. The flaw cannot be patched as it is not a security vulnerability but a coding error when writing BIG-IP’s iRules. iRules are the routines written to direct incoming web traffic towards the correct web server. These iRules are created using the Tool Command Language (Tcl), which when coded improperly can lead to injection attacks. An expression that is not enclosed during Tcl scripting allows for substitutions in statement and commands such that arbitrary user input is interpreted as code and executed. As some iRules parse data from incoming web requests, an attacker can launch a remote attack by submitting a command or piece of code as part of a web request to compromise the device hosting the BIG-IP software. The attack may leave no evidence as the compromised device will not record adversaries’ actions. Over 300,000 web-facing BIG-IP implementations may suffer from the coding flaw and it is possible for threat actors to mass scan the Internet to identify and exploit vulnerable instances. Organisations using F5’s BIG-IP load balancer are encouraged to evaluate their Tcl scripts and fix scripting errors to avoid potential exploitation.

References:

K15650046: Tcl Code Injection Security Exposure

Attackers Could Use This Coding Bug to Turn Big-IP Load Balancers Against Organizations