Jul 09, 2020

F5 BIG-IP Remote Code Execution Vulnerability

Few days ago, Big Buzz in the security community and some security companies confirmed that blackhat hackers are targeting F5 BIG-IP servers vulnerable to CVE-2020-5902. This critical vulnerability allows unauthenticated remote attackers to perform remote code execution on the Big-IP administrative interface. During this week vulnerability has been under active exploitation.

ffected resources: 

BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM), versiones:

What is Big-IP?

The BIG-IP  Traffic Management User Interface (TMUI) is a product of F5 , widely used by blue chip financial services and tech firms, government agencies and more. It acts as a gateway to your data centre, handling network load balancing, SSL offloading, and more.

How Is CVE-2020-5902 Exploited?

The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. (CVE-2020-5902).  This vulnerability allows for unauthenticated attackers with network access to the vulnerable F5 server to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.

Proof-of-concept (PoC) code demonstrating the exploit has been published publicly to the internet like GitHub, Twitter, and other platforms.

  1. https://github.com/yassineaboukir/CVE-2020-5902
  2. https://twitter.com/yorickkoster/status/1279709009151434754

Security researchers say 8,460 F5 customers had the BIG-IP product internet-facing. These include some of the world’s biggest companies. Some researchers found that 1,832 unique IPv4 hosts worldwide are vulnerable to CVE-2020-5902. Anyone can find these vulnerable hosts using Shodan.

   F5 BIG-IP endpoints vulnerable to CVE-2020-5902 by country


Impact on Nepal

Relatively the F5 devices are not widely used in Nepal, the only a handful of organizations are using it. Our security research team has identified only 2 devices are affected by this vulnerability and it was informed to them already by our team but yet to be patched. We will update it once these devices are patched.

Security Advisory Recommended Actions

F5 Networks has released a version that fixes the vulnerability. Please consider thoroughly and apply the corrected version.