A vulnerability found last month in the configuration interface of the BIG-IP delivery controller used by some of the world’s biggest companies, governments, military, internet service providers, cloud-computing data centers and enterprise networks, was quickly fixed by its developer F5.
U.S. Cyber Command retweeted last Friday F5’s advisory to patch immediately the flaw that could unleash a Remote Code Execution (RCE), possibly leading to the creation or deletion files, disability of services, interception of information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network.
Positive Technologies researcher Mikhail Klyuchnikov discovered the application delivery controller (ADC) vulnerability in the configuration interface of F5’s popular BIG-IP product
“By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution (RCE),” Klyuchnikov said.
U.S. Cyber Command took the vulnerability report seriously, as evidenced by its retweet of F5’s post, because its July 3 cybersecurity alert via Twitter marked “URGENT” advised: “Patching CVE-2020-5902 and 5903 should not be postponed over the weekend. Remediate immediately.” F5’s post the same day stated “The BIG-IP Traffic Management User Interface (TMUI)’s vulnerability existed in undisclosed pages, and recommended “upgrading to a fixed software version to fully mitigate this vulnerability.”
Klyuchnikov pointed out in the Positive Technologies blog that the RCE results from security flaws in multiple components, such as one that allows directory traversal exploitation. “This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan.” Fortunately, he added, most companies using the product do not enable access to the interface from the internet.
Last month Positive Technologies found more than 8,000 vulnerable devices available on the internet of which 40 percent lie in the U.S., 16 percent in China, 3 percent in Taiwan, and 2.5 percent in Canada and Indonesia. Less than 1 percent of vulnerable devices were detected in Russia.
CVE-2020-5902 received a CVSS (Common Vulnerability Scoring System) score of 10, indicating the highest degree of danger. To exploit it, an attacker needed to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.
To block this and other potential attacks, companies may deploy web application firewalls such as PT Application Firewall.