Urgent patching is called for following vulnerability found in the configuration interface of the BIG-IP delivery controller, used by some of the world’s biggest companies, govts., military, internet service providers, cloud-computing data centres & enterprise networks, quickly fixed by its developer F5.
US Cyber Command recently re-tweeted F5’s advisory to patch immediately this flaw, that could unleash a Remote Code Execution (RCE), possibly leading to the creation or deletion of files, disability of services, interception of information, run arbitrary system commands & Java code, completely compromise the system, & pursue further targets, such as the internal network.
Configuration Interface
Positive Technologies researcher Mikhail Klyuchnikov discovered the application delivery controller (ADC) vulnerability in the configuration interface of F5’s popular BIG-IP product
“By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorisation, perform remote code execution (RCE),” Klyuchnikov outlined.
Vulnerability Report
US Cyber Command took the vulnerability report seriously, as evidenced by its retweet of F5’s post, because its July 3 cyber-security alert via Twitter marked “URGENT” advised: “Patching CVE-2020-5902 & 5903 should not be postponed over the weekend. Remediate immediately.”
F5’s post the same day stated “The B 3IG-IP Traffic Management User Interface (TMUI)’s vulnerability existed in undisclosed pages, & recommended “upgrading to a fixed software version to fully mitigate this vulnerability.”
Traversal Exploitation
Klyuchnikov explained in the Positive Technologies blog that the RCE results from security flaws in multiple components, such as one that allows directory traversal exploitation. “This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan.” Fortunately, he observed, most companies using the product do not enable access to the interface from the internet.
Last month, Positive Technologies found over 8,000 vulnerable devices available on the internet of which 40% lie in the US, 16% in China, 3% in Taiwan, & 2.5% in Canada & Indonesia. Under 1% of vulnerable devices were detected in Russia.
Traffic Management
CVE-2020-5902 received a CVSS (Common Vulnerability Scoring System) score of 10, indicating the highest degree of danger. To exploit it, an attacker needed to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.
To block this & other potential attacks, companies may use web application firewalls e.g. PT Application Firewall.
Advanced Shell
F5 has also fixed a 2nd vulnerability discovered by Mikhail Klyuchnikov in the BIG-IP configuration interface. XSS vulnerability CVE-2020-5903 (score: 7.5) enables running malicious JavaScript code as the logged-in user. If the user has administrator privileges & access to Advanced Shell (bash), successful exploitation can lead to a full compromise of BIG-IP via RCE. F5 provided details & recommendations in a security bulletin.
Malicious Players
Also, to examine the exploit activity of the vulnerability, the NCC Group’s Research & Intelligence Fusion Team (RIFT) created a ‘honeypot’, which immediately drew attention from attackers, including detection of RCE attempts from malicious players. “By July 3, 2020 NCC Group observed active exploitation,” NCC reported, posting RIFT’s 6-day chronicle of the hacker attention with graphs showing spikes in exploit attempts