Description: On July 3, F5 Networks announced that its BIG-IP Traffic Management User Interface (TMUI) has a remote code execution vulnerability (CVE-2020-5902) in undisclosed pages. Successful exploitation allows unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. See F5’s advisory, which was published June 30, for full details.
CVE-2020-5902 carries a CVSSv3 base score of 10.0 and is known to be actively exploited in the wild as of July 3, 2020. Security researcher Kevin Beaumont also noted on Sunday, July 5 that BIG-IP boxes are being targeted with automated credential scraping, and that organizations whose BIG-IP instances were yet to be upgraded should rotate credentials and examine log data.
Affected products include: BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM)
Known vulnerable versions:
- 15.1.0
- 15.0.0
- 14.1.0 - 14.1.2
- 13.1.0 - 13.1.3
- 12.1.0 - 12.1.5
- 11.6.1 - 11.6.5
F5’s advisory notes that “the BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.”
Rapid7 analysis: BIG-IP is common in enterprise and high-value environments and makes an extremely attractive attack target even for vulnerabilities with higher barriers to exploitation. CVE-2020-5902 presents no such hurdle for attackers; the vulnerability is easily exploitable and straightforward to weaponize. As of July 5, Rapid7’s vulnerability research and exploit development team has tested multiple attack vectors and was able to achieve unauthenticated remote root code execution with one of them: RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation. Metasploit exploit code that obtains a root shell on vulnerable versions of BIG-IP is here.
Over the weekend, the research community published a widely shared Sigma rule to detect exploitation. The rule is under active revision to account for and mitigate a number of different evasions. Further details are below, but in general defenders should be aware of quickly evolving information about mitigation and detection bypasses. Defenders can mitigate the risk of evasions by modifying monitoring processes to alert on unique components (e.g., ..;, tmui) and setting more precise matching rules.
Originally, the Sigma rule checked for a base path, /tmui/login, like so:
detection:
selection_base:
c-uri|contains: '/tmui/login'
selection_traversal:
c-uri|contains:
- '..;/'
- '.jsp/..'
condition: selection_base and selection_traversalThis means the path must contain /tmui/login as a prerequisite, then either ..;/ or .jsp/... Rapid7 researchers verified as of July 7, 2020 that it was possible for attackers to circumvent the rule—for instance by modifying the login path to /tmui/./login, where . means current directory (/tmui). In general, path normalization works against detection rules here, i.e., in that the addition of . is normalized to /tmui/login. As of July 8, this evasion has since been mitigated by updates to the Sigma rule. However, Metasploit researchers have tested further evasions that, for instance, break selection_traversal instead of selection_base. Our guidance for defenders remains the same—alerting on unique components and setting precise matching rules is recommended as an overarching strategy regardless of the particulars of each new evasion.
Guidance:
F5 Networks customers running affected products should upgrade to a non-vulnerable version as quickly as possible. If you are unable to patch, F5 lists a number of mitigation options with detailed instructions in the Security Advisory Recommended Actions section of their advisory. In general, organizations should avoid exposing management interfaces to the public internet.
Update August 4, 2020: AlienVault and Trend Micro research has said this week that a Mirai botnet exploit has been weaponized to attack IoT devices via CVE-2020-5902. Per Trend Micro’s report, “a Mirai botnet downloader (detected by Trend Micro as Trojan.SH.MIRAI.BOI) can be added to new malware variants to scan for exposed Big-IP boxes for intrusion and deliver the malicious payload.”
Update July 13, 2020: Researchers have strongly emphasized that patching is far preferred to applying mitigations. The mitigation bypass shared last week has been detected in the wild since at least July 7. Further information from F5 Networks is below, but organizations that were unable to patch and instead applied the mitigation should assess their systems for compromise and patch as soon as possible.
Update July 8, 2020: The F5 Networks communication below advises BIG-IP customers who were unable to patch that their previously suggested mitigation is able to be circumvented.
“The Security Advisory for this CVE contained a suggested mitigation, for those unable to upgrade immediately, which was believed to prevent unauthenticated attackers from exploiting the vulnerability. Today F5 received new information, which indicated there was a method for attackers to circumvent the mitigation and compromise an unpatched system.
A new mitigation has been developed, and an updated Security Advisory has been published: K52145254: TMUI RCE vulnerability CVE-2020-5902. F5 recommends applying this new mitigation to all systems which have not yet been upgraded to a patched release, including those systems which were previously mitigated.”
As community reports have indicated both active exploitation of CVE-2020-5902 and automated credential scraping, BIG-IP customers should also strongly consider changing credentials and examining their logs for unusual activity. Organizations should assess whether their individual risk models warrant further incident response or other compromise investigation.
