Securing Network Appliances: New Technologies and Old Challenges

In the current era where many network appliances are built on Linux operating systems, strong and robust firmware security is a must. Historically, network devices struggled to implement everything securely. As a result, there is a big push to use both memory-safe languages, as well as achieve process isolation similar to that of hardened operating systems. Technologies like docker, k8s, and languages like golang are gaining adoption in the device firmware industry. But, they are not a cure-all.

In this talk, we will give an overview of network devices supply chain and how the firmware security looked before, and show the latest version of F5 BIG-IP platform, BIG-IP Next, which uses modern technology to be more secure. We will show how this approach did improve the security of the platform, compared to the previous versions. We will also show how it still managed to fall short on basic security hygiene for which new technologies are not a cure-all, including 2 fresh remotely exploitable vulnerabilities leading to the device central manager takeover, as well as achieving stealthy persistence on the devices. We will discuss what can be further done and improved to help prevent these issues, applicable to both the specific platform in question, as well as more widely.

By:
Vladyslav Babkin | Security Researcher, Eclypsium

Full Abstract and Presentation Materials:
https://www.blackhat.com/us-24/briefings/schedule/#securing-network-appliances-new-technologies-and-old-challenges-40169Black HatRead More