Cyber Command urges orgs to implement F5 patch for BIG-IP configuration interface flaw

A vulnerability found last month in the configuration interface of the BIG-IP delivery controller used by some of the world’s biggest companies, governments, military, internet service providers, cloud-computing data centers and enterprise networks, was quickly fixed by its developer F5.

U.S. Cyber Command retweeted last Friday F5’s advisory to patch immediately the flaw that could unleash a Remote Code Execution (RCE), possibly leading to the creation or deletion files, disability of services, interception of information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network.

Positive Technologies researcher Mikhail Klyuchnikov discovered the application delivery controller (ADC) vulnerability in the configuration interface of F5’s popular BIG-IP product

“By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution (RCE),” Klyuchnikov said.

U.S. Cyber Command took the vulnerability report seriously, as evidenced by its retweet of F5’s post, because its July 3 cybersecurity alert via Twitter marked “URGENT” advised: “Patching CVE-2020-5902 and 5903 should not be postponed over the weekend. Remediate immediately.” F5’s post the same day stated “The BIG-IP Traffic Management User Interface (TMUI)’s vulnerability existed in undisclosed pages, and recommended “upgrading to a fixed software version to fully mitigate this vulnerability.”

Klyuchnikov pointed out in the Positive Technologies blog that the RCE results from security flaws in multiple components, such as one that allows directory traversal exploitation. “This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan.” Fortunately, he added, most companies using the product do not enable access to the interface from the internet.

Last month Positive Technologies found more than 8,000 vulnerable devices available on the internet of which 40 percent lie in the U.S., 16 percent in China, 3 percent in Taiwan, and 2.5 percent in Canada and Indonesia. Less than 1 percent of vulnerable devices were detected in Russia.

CVE-2020-5902 received a CVSS (Common Vulnerability Scoring System) score of 10, indicating the highest degree of danger. To exploit it, an attacker needed to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

To block this and other potential attacks, companies may deploy web application firewalls such as PT Application Firewall.

F5 has also fixed a second vulnerability discovered by Mikhail Klyuchnikov in the BIG-IP configuration interface. XSS vulnerability CVE-2020-5903 (score: 7.5) enables running malicious JavaScript code as the logged-in user. If the user has administrator privileges and access to Advanced Shell (bash), successful exploitation can lead to a full compromise of BIG-IP via RCE. F5 provided details and recommendations in a security bulletin. Separately, to examine the exploit activity of the vulnerability, the NCC Group’s Research and Intelligence Fusion Team (RIFT) created a honeypot, which immediately drew attention from attackers, including detection of RCE attempts from malicious actors. “By July 3, 2020 NCC Group observed active exploitation,” NCC reported, posting RIFT’s six-day chronicle of the hacker attention with graphs showing spikes in exploit attempts.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.