top of page

Critical CVE-2020-5902 Threat: Securing F5 Networks BIG-IP from Remote Code Execution Vulnerability

CVE Image for report on CVE-2020-5902

Executive Summary

CVE-2020-5902 is a critical Remote Code Execution (RCE) vulnerability in the Traffic Management User Interface (TMUI) of F5 Networks' BIG-IP devices. This vulnerability allows unauthenticated attackers to execute arbitrary system commands, create or delete files, disable services, and potentially take full control of the affected system. The severity of this vulnerability is underscored by its CVSS v3.1 Base Score of 9.8, making it imperative for organizations to address it promptly. This report delves into the technical intricacies of CVE-2020-5902, its exploitation in the wild, the APT groups leveraging it, and the mitigation strategies to safeguard your infrastructure.

Technical Information

CVE-2020-5902 is a critical vulnerability identified in the TMUI of F5 Networks' BIG-IP devices. The vulnerability is assigned a CVSS v3.1 Base Score of 9.8, indicating its high severity. The vulnerability exists due to improper input validation in the TMUI, which can be exploited by unauthenticated attackers to execute arbitrary system commands, create or delete files, disable services, and potentially take full control of the affected system.

The affected versions of BIG-IP include: BIG-IP versions 15.0.0-15.1.0.3 BIG-IP versions 14.1.0-14.1.2.5 BIG-IP versions 13.1.0-13.1.3.3 BIG-IP versions 12.1.0-12.1.5.1 BIG-IP versions 11.6.1-11.6.5.1

The vulnerability can be exploited remotely without authentication, making it particularly dangerous. The attack vector is through the TMUI, which is accessible via the management interface or self IPs. An attacker can craft a malicious HTTP request to the TMUI, which, when processed, allows the execution of arbitrary commands on the underlying operating system.

The technical details of the vulnerability are as follows: CVE ID: CVE-2020-5902 Severity: Critical (CVSS v3.1 Base Score: 9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation in the Wild

The exploitation of CVE-2020-5902 has been observed in the wild, with multiple reports of threat actors leveraging this vulnerability to gain unauthorized access to networks. Exploit code and proof of concept (PoC) scripts are readily available on platforms such as GitHub and Packet Storm Security. Notable repositories and advisories include: GitHub Repository: Exploit code for F5-Big-IP (CVE-2020-5902) (https://github.com/yasserjanah/CVE-2020-5902) Packet Storm Security: BIG-IP TMUI Remote Code Execution (http://packetstormsecurity.com/files/158333/BIG-IP-TMUI-Remote-Code-Execution.html) Packet Storm Security: F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution (http://packetstormsecurity.com/files/158366/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html)

Reports of exploitation include: CISA Advisory: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902 (https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a) Bad Packets Report: Over 3000 F5 BIG-IP Endpoints Vulnerable to CVE-2020-5902 (https://badpackets.net/over-3000-f5-big-ip-endpoints-vulnerable-to-cve-2020-5902/)

APT Groups using this vulnerability

Various Advanced Persistent Threat (APT) groups have been reported to leverage CVE-2020-5902 to gain initial access to networks. These groups often use the vulnerability as part of their broader attack campaigns, which may include data exfiltration, lateral movement, and deployment of additional malware. The MITRE ATT&CK Framework provides insights into the tactics and techniques employed by these groups: Tactic: Execution (TA0002) Technique: Command and Scripting Interpreter (T1059)

Affected Product Versions

The following versions of BIG-IP are affected by CVE-2020-5902: BIG-IP versions 15.0.0-15.1.0.3 BIG-IP versions 14.1.0-14.1.2.5 BIG-IP versions 13.1.0-13.1.3.3 BIG-IP versions 12.1.0-12.1.5.1 BIG-IP versions 11.6.1-11.6.5.1

Workaround and Mitigation

To mitigate the risks associated with CVE-2020-5902, F5 Networks has provided several recommendations: Patch: Apply the latest patches provided by F5 Networks to mitigate this vulnerability. The patches can be found in the F5 Networks Advisory: TMUI RCE vulnerability CVE-2020-5902 (https://support.f5.com/csp/article/K52145254) Workaround: Restrict access to the TMUI by blocking access to the Configuration utility through self IPs and management interfaces.

Additionally, organizations should implement robust detection and response mechanisms to identify and respond to potential exploitation attempts. Indicators of Compromise (IOCs) include unusual file creation or deletion activities, unexpected system commands being executed, and services being disabled without authorization. Detection tools such as the Checker for CVE-2020-5902 (http://packetstormsecurity.com/files/158414/Checker-CVE-2020-5902.html) can assist in identifying vulnerable systems.

References

For further information on CVE-2020-5902, please refer to the following resources: NVD: CVE-2020-5902 Detail (https://nvd.nist.gov/vuln/detail/cve-2020-5902) CERT: Vulnerability Note VU#290915 (https://www.kb.cert.org/vuls/id/290915) Tenable Blog: CVE-2020-5902: Critical Vulnerability in F5 BIG-IP Traffic Management User Interface (TMUI) (https://www.tenable.com/blog/cve-2020-5902-critical-vulnerability-in-f5-big-ip-traffic-management-user-interface-tmui) Medium Article: CVE-2020-5902 Analysis, F5 BIG-IP RCE Vulnerability (https://medium.com/certik/cve-2020-5902-analysis-f5-big-ip-rce-vulnerability-3a3ae6278128)

Rescana is here for you

At Rescana, we understand the critical importance of safeguarding your infrastructure against emerging threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you stay ahead of potential vulnerabilities and ensure the security of your systems. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.

6 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page