Skip to content
Search
Get A Demo
Try For Free
    Get A Demo
    Try For Free
      July 6, 2020

      What You Need to Know About the Severe F5 BIG-IP Vulnerability

      A private security researcher named Mikhail Klyuchnikov disclosed a substantial vulnerability relating to F5 Networks’ product BIG-IP over the weekend. F5 BIG-IP LTM uses specialized hardware to offload SSL encryption from data center servers. F5 BIG-IP LTM works to improve application performance.

      Known as CVE-2020-5902, this vulnerability was given a 10 out of 10 severity, which is a rare occurrence in the CVEs we see today. The reason for this score is due to the impact this exploit can have remotely and unauthenticated (potentially resulting in complete system compromise), as well as the simplicity of this attack.

      How It Works

      This vulnerability affects the Traffic Management User Interface (TMUI), also referred to as the Configuration utility. It can allow for remote code execution, and doesn’t require any authentication.

      Exploitation is simple. When attackers find a F5 BIG-IP on the internet, they simply have to run a login string command in the address bar to gain access to a victim’s system. These strings can be found here on GitHub.

      Researcher Mikhail Klyuchnikov said:

      By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution (RCE1). The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network.

       

      RCE, in this case, results from security flaws in multiple components, such as one that allows directory traversal exploitation. This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan. Fortunately, most companies using the product do not enable access to the interface from the internet.

      Who’s Affected & Mitigation

      As stated above, only companies that enable public internet access to their F5 BIG-IP web interface are affected.

      Affected companies are advised to update. Vulnerable versions of BIG-IP (11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x) should be replaced by the corresponding updated versions (11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.1.0.4).

      Users of public cloud marketplaces such as AWS, Azure, GCP, and Alibaba should switch to BIG-IP Virtual Edition (VE) versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, or 15.1.0.4, if available.

      F5 has released a fix in their latest patch release, found in Solution K52145254.

      Tag(s): Security Alerts , Blog

      Nick Dixon

      Nick is a cybersecurity professional with over a decade of experience in IT security and operations management. A Detroit native and graduate of Eastern Michigan University's Information Assurance program, he currently serves as Security Analysts & Technical Support Manager at Blumira, where he has advanced through...

      More from the blog

      View All Posts
      Security How-To
      7 min read | June 10, 2020

      How to Mitigate Against the SMBleed Vulnerability & POC Exploit

      Read More
      Security Alerts
      5 min read | December 9, 2021

      Critical Bugs Discovered In SonicWall SMA 100 Series Appliances

      Read More
      Security Alerts
      10 min read | June 30, 2021

      PrintNightmare (CVE-2021-1675 and CVE 2021-34527) Explained

      Read More