A private security researcher named Mikhail Klyuchnikov disclosed a substantial vulnerability relating to F5 Networks’ product BIG-IP over the weekend. F5 BIG-IP LTM uses specialized hardware to offload SSL encryption from data center servers. F5 BIG-IP LTM works to improve application performance.
Known as CVE-2020-5902, this vulnerability was given a 10 out of 10 severity, which is a rare occurrence in the CVEs we see today. The reason for this score is due to the impact this exploit can have remotely and unauthenticated (potentially resulting in complete system compromise), as well as the simplicity of this attack.
How It Works
This vulnerability affects the Traffic Management User Interface (TMUI), also referred to as the Configuration utility. It can allow for remote code execution, and doesn’t require any authentication.
Exploitation is simple. When attackers find a F5 BIG-IP on the internet, they simply have to run a login string command in the address bar to gain access to a victim’s system. These strings can be found here on GitHub.
Researcher Mikhail Klyuchnikov said:
By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution (RCE1). The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network.
RCE, in this case, results from security flaws in multiple components, such as one that allows directory traversal exploitation. This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan. Fortunately, most companies using the product do not enable access to the interface from the internet.
Who’s Affected & Mitigation
As stated above, only companies that enable public internet access to their F5 BIG-IP web interface are affected.
Affected companies are advised to update. Vulnerable versions of BIG-IP (11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x) should be replaced by the corresponding updated versions (22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11).
Users of public cloud marketplaces such as AWS, Azure, GCP, and Alibaba should switch to BIG-IP Virtual Edition (VE) versions 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, or 220.127.116.11, if available.
F5 has released a fix in their latest patch release, found in Solution K52145254.