Threat Response: Vulnerabilities in BIG-IP Systems

06-07-2020

A SAFE DIGITAL JOURNEY

On 1 July 2020, a number of vulnerabilities were published affecting the F5 BIG-IP systems [1]. One of these vulnerabilities is deemed critical, and is registered as CVE-2020-5902 with a CVSS-3 base score of 10.0. Over the course of the weekend, multiple proof-of-concepts of exploits became available. Therefore, we would like to inform you about the threat, and the possible mitigations that can be performed.

Description

A critical vulnerability exists in the “Traffic Management User Interface” (TMUI) of BIG-IP systems. Exploitation of this vulnerability can lead to the execution of arbitrary code by a remote unauthenticated attacker. The attack does however require network access to the affected device. The following systems have been proven vulnerable:

BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM), versions:

  • 15.1.0
  • 15.0.0
  • 14.1.0 up to 14.1.2
  • 13.1.0 up to 13.1.3
  • 12.1.0 up to 12.1.5
  • 11.6.1 up to 11.6.5

Besides the previously mentioned critical vulnerability, additional noteworthy vulnerabilities affecting the above system versions have been published as well. A full overview can be found below:

CVE CVSS1 Description
CVE-2020-5902 10.0 Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
CVE-2020-5903 7.5 Cross-Site Scripting (XSS) vulnerability in an undisclosed page of the BIG-IP Configuration utility.
CVE-2020-5904 8.8 Cross-site request forgery (CSRF) vulnerability in the Traffic Management User Interface (TMUI)
CVE-2020-5905 5.5 On the BIG-IP system Configuration utility Network > WCCP page, the system does not sanitize all user-provided data before display.(v11.6.1 – 11.6.5.2)
CVE-2020-5906 5.4 The BIG-IP system does not properly enforce the access controls for the scp.blacklist files. This allows Admin and Resource Admin users with Secure Copy (SCP) protocol access to read and overwrite blacklisted files via SCP.
CVE-2020-5907 6.6 An authorized user provided with access only to the TMOS Shell (tmsh) may be able to conduct arbitrary file read/writes via the built-in sftp functionality.
CVE-2020-5908 3.8 In versions bundled with BIG-IP APM 12.1.0-12.1.5 and 11.6.1-11.6.5.2, Edge Client for Linux exposes full session ID in the local log files.

CVSS score based on CVSS version 3, and provided by F5. The scores have been set before this message was written, and are thus subject to change.

Impact

Exploitation of CVE-2020-5902 can lead to remote code execution by an unauthenticated attacker, potentially leading to full system compromise.

Exploitation of the vulnerabilities related to XSS and CSRF can, in the case that an administrative user is logged on during exection, also lead to full system compromise ultimately.

Risk

Northwave estimates the impact of the vulnerability to be high. The probability of an attack is, given the availability of exploit code for CVE-2020-5902 [3][4][5], also high. As a result the risk of this threat is high.

Mitigation

F5 has released updates for most of the affected software versions. Northwave recommends to install the update as soon as possible. This update also contains fixes for the other vulnerabilities mentioned.

An update has been released for the following versions:

Current Version Patched version
15.1.0 15.1.0.4
14.1.0 – 14.1.2 14.1.2.6
13.1.0 – 13.1.3 13.1.3.4
12.1.0 – 12.1.5 12.1.5.2
11.6.1 – 11.6.5 11.6.5.2

For 15.0.0 only, an update has not been made available.

When updating is not possible, mitigation steps as set out by F5 can be performed [1]. The aforementioned steps are exclusively applicable to CVE-2020-5902.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://support.f5.com/csp/article/K52145254

[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902

[3]: https://github.com/jas502n/CVE-2020-5902

[4]: https://twitter.com/x4ce/status/1279790599793545216

[5]: https://github.com/rapid7/metasploit-framework/pull/13807

Note: to see the update on this threat response, please click here.

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.