F-Secure revealed a vulnerability in F5 Networks' popular load balancing software BIG-IP Friday that could allow attackers to inject malicious code using nothing more than an online form.

According to the security firm, the vulnerability — discovered by Senior Security Consultant Christoffer Jerkeby during a routine assessment — could affect more than 300,000 organizations including large banks and governments that rely on BIG-IP. However, F-Secure has not received any reports of actual attacks against organizations.

While the vulnerability affects BIG-IP customers, F-Secure notes that the issue doesn't exist within BIG-IP itself. Instead, the vulnerability is created when an organization configures or misconfigures BIG-IP's iRules — routines written in tool command language (Tcl) to direct incoming web traffic toward the correct web server.

In certain conditions, misconfigured iRules can allow attackers to inject malicious code in a similar fashion to injection attacks on SQL and shell scripting languages. And, according to F-Secure, injecting malicious code isn't difficult. In some implementations of BIG-IP, it can be as easy as filling an online form.

While the nature of the vulnerability isn't unique, the consequences can be severe, a fact that is only amplified by the popularity of BIG-IP. Once the device hosting the BIG-IP software has been compromised attackers can steal data or interpret and manipulate traffic to expose password data. Worse, F-Secure reports that once a device has been compromised, it won't record the adversaries' actions making it difficult to determine if an attack has even taken place.

“This configuration issue is really quite severe because it’s stealthy enough for an attacker to get in, achieve a wide variety of objectives, and then cover their tracks. Plus, many organizations aren’t prepared to find or fix issues that are buried deep in software supply chains, which adds up to a potentially big security problem,” said Christoffer in a statement. “Unless you know what to look for, it’s tough to foresee this problem occurring, and even harder to deal with in an actual attack.”

Perhaps the biggest problem with addressing this vulnerability is there is nothing that F5 can do to fix it. Instead, it's up to the organization to check its implementation for vulnerabilities.

“Unless an organization has done an in-depth investigation of this technology, there’s a strong chance they’ve got this problem,” Christoffer said. “Even someone incredibly knowledgeable about security that works at a well-resourced company can make this mistake. So, spreading awareness about the issue is really important if we want to help organizations better protect themselves from a potential breach scenario.”

Since becoming aware of the vulnerability, F-Secure and F5 have been working together for the last five months address the problem.

While the vulnerability won't affect every BIG-IP user, F-Secure notes that because it's possible to scan the internet for vulnerable instances, and even automate that process, the issue will likely attract the attention of attackers and bug bounty hunters.

In response to this vulnerability, F5 released a public advisory and Christoffer has helped to develop two open source tools to analyze the Tcl scripts affected. The first, TestTcl, is a library that can be used to analyze Tcl Scripts. The second, Tclscan, allows users to scan Tcl code for injection flaws.