Cybersecurity Threat Advisory: F5 Critical Vulnerability Exploited in Wild (CVE-2020-5902)

Advisory Overview

A Remote Code Execution (RCE) vulnerability exists in the BIG-IP application delivery controller (ADC) software’s Traffic Management User Interface (TMUI). The vulnerability could allow an attacker to execute remote commands or arbitrary code without the need for authentication, putting sensitive information and the system at risk for take over. F5 has released patches for this vulnerability and all users are advised to update immediately.

Technical detail and additional information

What is the threat?

A Remote Code Execution (RCE) vulnerability exists in the BIG-IP application delivery controller (ADC) software’s Traffic Management User Interface (TMUI). If a prospective attacker has access to the interface (such as if it were exposed to the internet) they could send a specially crafted HTTP request to it which allows them to execute arbitrary code remotely without the need to authenticate with valid credentials. If a device is compromised in this way, the attacker could eventually gain full control over the BIG-IP device and potentially spread laterally to any available devices.

Why is this noteworthy?

Big-IP is undoubtably one of the most prolific networking products currently in use. These devices can be found in use by all manner of organizations both public and private, as well as governments. F5 (the vendor of BIG-IP devices) claims on their site that “48 of the fortune 50 rely on F5”[1], and by extension almost assuredly BIG-IP. The nature of the threat as an RCE coupled with many other factors such as ease of exploitation, ability to bypass authentication, and the prolific nature of the devices has caused this vulnerability (tracked as CVE-2020-5902) to be scored a rare 10 out of 10 on the CVSS rating scale. The potential fallout should this vulnerability be exploited is so dire that the US Cyber Command has issued a warning to not delay patching over the weekend, and to remediate immediately[2]. In addition, a query on the popular search engine for internet-connected devices, “Shodan”, reveals that there are upwards of 8,400 BIG-IP devices online that were easily found and potentially vulnerable. Reports have also shown that this vulnerability is actively being exploited at this time.

[1] https://www.f5.com/products/big-ip-services

[2] https://twitter.com/CNMF_CyberAlert

What is the exposure or risk?

When exploited, this vulnerability allows a malicious actor to execute any number of remote commands or arbitrary code without the need to authenticate with legitimate credentials. Once compromised an attacker could create or delete files, collect and dump encrypted administrator passwords, execute code and modify services in such a way that could effectively allow them to completely take over the BIG-IP device. In a less high-profile case, an attacker could also simply monitor traffic in the network for an extended period of time undetected. It is extremely likely that this vulnerability could be exploited by ransomware gangs to target even the largest organizations as similar bugs have been used in the past. An attacker could lie undetected for a significant period of time after compromising the system, create backdoor access, and return to cause damage and demand payments at a much later date.

What are the recommendations?

F5 has released patches for this vulnerability and all users are advised to update immediately. It is also highly recommended that the TMUI not be publicly accessible from the internet. F5 has detailed the vulnerable versions and their updates in the following release:

“Affected companies are advised to update. Vulnerable versions of BIG-IP (11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x) should be replaced by the corresponding updated versions (11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.1.0.4). Users of public cloud marketplaces such as AWS, Azure, GCP, and Alibaba should switch to BIG-IP Virtual Edition (VE) versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, or 15.1.0.4, if available. Other recommendations are given in the F5 BIG-IP bulletin. To block this and other potential attacks, companies may deploy web application firewalls.”

If it is currently impossible to update, F5 has also provided mitigation techniques in their own security advisory which can be found at the link below:

• https://support.f5.com/csp/article/K52145254

References:

• https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/
• https://support.f5.com/csp/article/K52145254
• https://www.zdnet.com/article/hackers-are-trying-to-steal-admin-passwords-from-f5-big-ip-devices/
• https://www.zdnet.com/article/f5-patches-vulnerability-that-received-a-cvss-10-severity-score/

If you have any questions, please contact our Security Operations Center.