Updated on July 7, 2020, 10:30 pm EST to include solutions.
F5 Networks, a provider of networking devices and services, urges users to patch their BIG-IP networking systems as soon as possible, after the provider disclosed two vulnerabilities. First of these is CVE-2020-5902, a critical remote code execution (RCE) vulnerability found in BIG-IP device’s Traffic Management User Interface (TMUI).
CVE-2020-5902 received a 10 out of 10 score on the Common Vulnerability Scoring System (CVSS) v3.0 vulnerability severity scale. After this vulnerability was made public, threat actors were quick to take advantage of it by launching attacks on the impacted devices, as spotted by NCC Group security researcher Rich Warren.
CVE-2020-5902 is an RCE vulnerability found in BIG-IP’s TMUI, also known as the Configuration utility. In a properly configured network environment, this configuration portal should not be accessible to an attacker – unless he already has access to the network from inside. The vulnerability is reported to be easily exploited and automated, as it could be used over the internet and does not require advanced coding skills to abuse.
To exploit this vulnerability, an attacker has to send a specifically crafted HTTP request to the server that houses BIG-IP’s TMUI. By abusing CVE-2020-5902, unauthenticated users can perform the following actions even without valid credentials:
Execute arbitrary commands and code
Create or delete files
Klyuchnikov stresses in Positive Technoligies’ report that “RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation. This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan. Fortunately, most companies using the product do not enable access to the interface from the internet." As stated in ZDNet's article, there are approximately 8,400 BIG-IP devices connected to the internet according to a Shodan search.
F5 warned users that this vulnerability might result in a complete system compromise. The full list of affected devices, their patches, and mitigations (in case upgrades are not possible) are available in F5’s security advisory for CVE-2020-5902.
ZDNet's report states that BIG-IP devices are utilized on the networks of 48 companies included in the Fortune 50 list, as F5 divulged on their official website. The products are also used in networks and cloud data centers of enterprises, government organizations, and internet providers, among other industries.
A surge in demand for F5 solutions has been witnessed recently, a major reason for which is the abrupt transition to work-from-home arrangements by many companies as necessitated by the global coronavirus pandemic.
Protecting vulnerabilities from attackers
As threat actors are on the constant lookout for vulnerabilities to exploit, it is highly advised that security teams and users follow security measures to ensure that their systems remain protected. Some of these basic recommendations are the following:
Periodically patch and update operating systems, firmware, programs, applications, and other software.
Keep abreast of the latest reports on vulnerabilities affecting devices and software from different providers.
Deploy security solutions to detect threats before they can compromise the systems.