Critical RCE Flaw Affects F5 BIG-IP Application Security Servers

Cybersecurity researchers today issued a security advisory warning
enterprises and governments across the globe to immediately patch a
highly-critical remote code execution vulnerability affecting F5’s
BIG-IP networking devices running application security servers.

The vulnerability, assigned CVE-2020-5902 and
rated as critical with a CVSS score of 10 out of 10, could let
remote attackers take complete control of the targeted systems,
eventually gaining surveillance over the application data they
manage.
^[1]

According to Mikhail Klyuchnikov, a security researcher at Positive
Technologies who discovered the flaw and reported it to F5
Networks, the issue resides in a configuration utility called
Traffic Management User Interface (TMUI) for BIG-IP application
delivery controller (ADC).

BIG-IP ADC is being used by large enterprises, data centers, and
cloud computing environments, allowing them to implement
application acceleration, load balancing, rate shaping, SSL
offloading, and web application firewall.

F5 BIG-IP ADC RCE Flaw (CVE-2020-5902)

An unauthenticated attacker can remotely exploit this vulnerability
by sending a maliciously crafted HTTP request to the vulnerable
server hosting the Traffic Management User Interface (TMUI) utility
for BIG-IP configuration.

Successful exploitation of this vulnerability could allow
attackers to gain full admin control over the device, eventually
making them do any task they want on the compromised device without
any authorization.

“The attacker can create or delete files, disable services,
intercept information, run arbitrary system commands and Java code,
completely compromise the system, and pursue further targets, such
as the internal network,” Klyuchnikov said^[2].

“RCE in this case results from security flaws in multiple
components, such as one that allows directory traversal
exploitation.”

As of June 2020, more than 8,000 devices have been identified
online as being exposed directly to the internet, of which 40%
reside in the United States, 16% in China, 3% in Taiwan, 2.5% in
Canada and Indonesia and less than 1% in Russia, the security firm
says.

However, Klyuchnikov also says that most companies using the
affected product do not enable access to the internet’s vulnerable
configuration interface.

F5 BIG-IP ADC XSS Flaw (CVE-2020-5903)

Besides this, Klyuchnikov also reported an XSS vulnerability
(assigned CVE-2020-5903^[3] with a CVSS score of
7.5) in the BIG-IP configuration interface that could let remote
attackers run malicious JavaScript code as the logged-in
administrator user.

“If the user has administrator privileges and access to Advanced
Shell (bash), successful exploitation can lead to a full compromise
of BIG-IP via RCE,” the researcher said.

Affected Versions and Patch Updates

Affected companies and administrators relying on vulnerable BIG-IP
versions 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x are
strongly recommended to update their devices to the latest versions
11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.1.0.4 as soon as
possible.

Moreover, users of public cloud marketplaces like AWS (Amazon
Web Services), Azure, GCP, and Alibaba are also advised to switch
to BIG-IP Virtual Edition (VE) versions 11.6.5.2, 12.1.5.2,
13.1.3.4, 14.1.2.6, 15.0.1.4, or 15.1.0.4, as soon as they are
available.