F5 BIG-IP is a multi-purpose networking device manufactured by F5 Networks which can be configured to work as traffic shaping system, firewall, load balancer, access gateway, rate limiter or SSL middleware. F5 BIG-IP devices are one of the most popular networking products and are widely used in government networks, banks, on the networks of internet service providers, inside cloud computing data centers and across enterprise networks. A critical remote code execution (RCE) vulnerability has been discovered in F5’s BIG-IP networking devices which is being actively exploited in the wild. The vulnerability is identified with CVE-2020-5902 and allows an attacker to read files, execute code or take complete control over vulnerable system. This vulnerability has already been observed in the wild being actively used to install coin-miners, IoT malware or to scrape administrator credentials from the compromised devices.
The vulnerability resides in the configuration interface, also referred as Traffic Management User Interface – TMUI, of the BIG-IP application delivery controller (ADC). The CVSS score for this vulnerability is 10.0, meaning that the vulnerability is easy to exploit and doesn’t require valid credentials for exploitation. An attacker just needs to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.
A typical HTTP request exploiting this vulnerability to fetch contents of ‘/etc/passwd’ file is given below:
On successful exploitation,
Publicly available PoC:
Multiple proof-of-concept codes are publicly available for the vulnerability.
This vulnerability allows an attacker to create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, directory traversal exploitation and pursue further targets, such as the internal network.
BIG-IP Devices (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM) versions 11.6.x prior to 126.96.36.199, 12.1.x prior to 188.8.131.52, 13.x prior to 184.108.40.206, 14.x prior to 220.127.116.11 and 15.x prior to 18.104.22.168.
F5 has released security fixes for these vulnerabilities. Updrage BIG-IP Devices (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM) to version:
- 22.214.171.124, or
- 126.96.36.199, or
- 188.8.131.52, or
- 184.108.40.206, or
NOTE: This is a temporary workaround. Please apply the above solution as early as possible.
Following mitigations are available:
- All network interfaces: This can be used to address the primary threat from unauthenticated attackers.
- Self IPs: This addresses unauthenticated and authenticated attackers on self-IPs by blocking all access.
- Management interface: This addresses unauthenticated attackers on management interface by restricting access.
Please refer to Mitigation Section in vendor-advisory for step-by-step details.