Updated on July 7, 2020, 10:30 pm EST to include solutions.
F5 Networks, a provider of networking devices and services, urges users to patch their BIG-IP networking systems as soon as possible, after the provider disclosed two vulnerabilities. First of these is CVE-2020-5902, a critical remote code execution (RCE) vulnerability found in BIG-IP device’s Traffic Management User Interface (TMUI).
CVE-2020-5902 received a 10 out of 10 score on the Common Vulnerability Scoring System (CVSS) v3.0 vulnerability severity scale. After this vulnerability was made public, threat actors were quick to take advantage of it by launching attacks on the impacted devices, as spotted by NCC Group security researcher Rich Warren.
Another less critical vulnerability, CVE-2020-5903, involves cross-site scripting (XSS). F5 has now released patches for both in the vulnerabilities’ respective security advisories (one advisory for CVE-2020-5902 and another for CVE-2020-5903). Both vulnerabilities were revealed to the company by Mikhail Klyuchnikov, a security researcher from Positive Technologies.
The severe vulnerability: CVE-2020-5902
CVE-2020-5902 is an RCE vulnerability found in BIG-IP’s TMUI, also known as the Configuration utility. In a properly configured network environment, this configuration portal should not be accessible to an attacker – unless he already has access to the network from inside. The vulnerability is reported to be easily exploited and automated, as it could be used over the internet and does not require advanced coding skills to abuse.
To exploit this vulnerability, an attacker has to send a specifically crafted HTTP request to the server that houses BIG-IP’s TMUI. By abusing CVE-2020-5902, unauthenticated users can perform the following actions even without valid credentials:
- Execute arbitrary commands and code
- Create or delete files
- Disable services
Klyuchnikov stresses in Positive Technoligies’ report that “RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation. This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan. Fortunately, most companies using the product do not enable access to the interface from the internet." As stated in ZDNet's article, there are approximately 8,400 BIG-IP devices connected to the internet according to a Shodan search.
F5 warned users that this vulnerability might result in a complete system compromise. The full list of affected devices, their patches, and mitigations (in case upgrades are not possible) are available in F5’s security advisory for CVE-2020-5902.
The United States Cybersecurity & Infrastructure Security Agency also released a statement that encourages users and administrators to patch their devices.
CVE-2020-5903 cross-site scripting vulnerability
ZDNet's report states that BIG-IP devices are utilized on the networks of 48 companies included in the Fortune 50 list, as F5 divulged on their official website. The products are also used in networks and cloud data centers of enterprises, government organizations, and internet providers, among other industries.
A surge in demand for F5 solutions has been witnessed recently, a major reason for which is the abrupt transition to work-from-home arrangements by many companies as necessitated by the global coronavirus pandemic.
Protecting vulnerabilities from attackers
As threat actors are on the constant lookout for vulnerabilities to exploit, it is highly advised that security teams and users follow security measures to ensure that their systems remain protected. Some of these basic recommendations are the following:
- Periodically patch and update operating systems, firmware, programs, applications, and other software.
- Keep abreast of the latest reports on vulnerabilities affecting devices and software from different providers.
- Deploy security solutions to detect threats before they can compromise the systems.
- 1010388 - F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)
Trend Micro™ TippingPoint® protects customers through the following rules:
- 37841: HTTP: F5 BIG-IP TMUI Directory Traversal Vulnerability
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Exposed Container Registries: A Potential Vector for Supply-Chain Attacks
- LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
- Diving Deep Into Quantum Computing: Modern Cryptography
- Uncovering Silent Threats in Azure Machine Learning Service: Part 2
- The Linux Threat Landscape Report