Open source F5 Big-IP exploit detector released

Security vendor Corelight has open sourced a new tool to help detect exploit attempts - both successful and unsuccessful - against enterprise and data centre network device vendor F5's Big-IP load balancers.

Corelight has published the package for the Zeek Network Security Monitoring Tool on Github.

Zeek is developed by Lawrence Berkeley National Laboratory, and is an open source tool for observing network traffic.

It can be used in conjunction with security information event managment (SIEM) systems, with Zeek providing a network context to enrich information feeds, Corelight researcher Ben Reardon said.

"As an incident responder (IR), you want contextual information upfront, because you need to triage things quickly," he wrote. 

"By adding items like headers into the alert notice – as this package does – Zeek gives responders an upper hand in the race against the IR queue, because now they don’t need to wade through PCAPs [data packet captures] in a clunky swivel-chair workflow to manually fish out the important parts in order to decide on the next course of action," he added.

F5 users have been warned to patch their devices by government cyber security agencies, but even those who have updated their Big-IPs might be interested in spotting exploit attempts, Reardon suggested.

The F5 Big-IP flaw, CVE-2020-5902, is rated as 10 out of 10 on the Common Vulnerabilities and Exposures scale.

The improperly implemented access controls vulnerability in the Big-IP Traffic Management User Interface Configuration (TMUC) utility can be exploited with a single line of code that has been made public.

Security monitoring services found earlier this month that the vulnerability is being exploited remotely to install cryptocurrency mining and webshell command and control malware, and other payloads.