Urgent patching advised for BIG-IP configuration interface flaw

News by Teri Robinson

Urgent patching advised following vulnerability found in configuration interface of the BIG-IP delivery controller used by some of the world’s biggest companies, governments, & enterprise networks.

Urgent patching called for following vulnerability found in the configuration interface of the BIG-IP delivery controller used by some of the world’s biggest companies, governments, military, internet service providers, cloud-computing data centres and enterprise networks, quickly fixed by its developer F5.

Last Friday the US’ Cyber Command retweeted F5’s advisory to patch immediately the flaw that could unleash a Remote Code Execution (RCE), possibly leading to the creation or deletion files, disability of services, interception of information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network.

Positive Technologies researcher Mikhail Klyuchnikov discovered the application delivery controller (ADC) vulnerability in the configuration interface of F5’s popular BIG-IP product

“By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorisation, perform remote code execution (RCE),” Klyuchnikov said.

US Cyber Command took the vulnerability report seriously, as evidenced by its retweet of F5’s post, because its 3 July cybersecurity alert via Twitter marked “URGENT” advised: “Patching CVE-2020-5902 and 5903 should not be postponed over the weekend. Remediate immediately.” F5’s post the same day stated “The BIG-IP Traffic Management User Interface (TMUI)’s vulnerability existed in undisclosed pages, and recommended “upgrading to a fixed software version to fully mitigate this vulnerability.”

Klyuchnikov pointed out in the Positive Technologies blog that the RCE results from security flaws in multiple components, such as one that allows directory traversal exploitation. “This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan.” Fortunately, he added, most companies using the product do not enable access to the interface from the internet.

Last month Positive Technologies found more than 8,000 vulnerable devices available on the internet of which 40 percent lie in the US, 16 percent in China, 3 percent in Taiwan, and 2.5 percent in Canada and Indonesia. Less than 1 percent of vulnerable devices were detected in Russia.

CVE-2020-5902 received a CVSS (Common Vulnerability Scoring System) score of 10, indicating the highest degree of danger. To exploit it, an attacker needed to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

To block this and other potential attacks, companies may deploy web application firewalls such as PT Application Firewall.

F5 has also fixed a second vulnerability discovered by Mikhail Klyuchnikov in the BIG-IP configuration interface. XSS vulnerability CVE-2020-5903 (score: 7.5) enables running malicious JavaScript code as the logged-in user. If the user has administrator privileges and access to Advanced Shell (bash), successful exploitation can lead to a full compromise of BIG-IP via RCE. F5 provided details and recommendations in a security bulletin. Separately, to examine the exploit activity of the vulnerability, the NCC Group’s Research and Intelligence Fusion Team (RIFT) created a honeypot, which immediately drew attention from attackers, including detection of RCE attempts from malicious actors. “By July 3, 2020 NCC Group observed active exploitation,” NCC reported, posting RIFT’s six-day chronicle of the hacker attention with graphs showing spikes in exploit attempts

First published in SC US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews