Pierluigi Paganini July 08, 2020

Researchers have found a way to bypass F5 Networks mitigation for the actively exploited BIG-IP vulnerability, and hackers already used it.

Researchers have found a way to bypass one of the mitigations proposed by F5 Networks for the actively exploited BIG-IP vulnerability. Unfortunately, threat actors in the wild were already using the bypass technique before its public disclosure.

Early June, researchers at F5 Networks have addressed a critical remote code execution (RCE) vulnerability, tracked as CVE-2020-5902, that resides in undisclosed pages of Traffic Management User Interface (TMUI) of the BIG-IP product.

“This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.” reads the advisory published by F5. “This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.”

The BIG-IP product is an application delivery controller (ADC), it is used by government agencies and major business, including banks, services providers and IT giants like Facebook, Microsoft and Oracle.

F5 Networks says the BIG-IP devices are used on the networks of 48 companies included in the Fortune 50 list.

US Cyber Command posted a message on Twitter urging organizations using the F5 product to immediately patch their installs.

The vulnerability could be exploited by attackers to gain access to the TMUI component to execute arbitrary system commands, disable services, execute arbitrary Java code, and create or delete files, and potentially take over the BIG-IP device

The CVE-2020-5902 vulnerability received a CVSS score of 10, this means that is quite easy to exploit. The issue could be exploited by sending a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

A few days after the disclosure of the vulnerability in the F5 Networks BIG-IP product threat actors started exploiting it in attacks in the wild.

Immediately after the public disclosure of the flaw, that several proof-of-concept (PoC) exploits have been released, some of them are very easy to use.

F5 has released security updates to address the issue along with some mitigations that should prevent exploitation.

Now security researchers Rich Mirch and Chase Dardaman from Critical Start, have devised a bypass method for one of the mitigations proposed by F5.

Waiting for more effective mitigation, customers have no choice, they have to update their systems immediatelly.

NCC researchers have also found a method to bypass mitigation proposed by the vendor, they claim the technique was being exploited in attacks a few hours before they published it.

“CVE-2020-5902 was disclosed on July 1st, 2020 by F5 Networks in K52145254 as a CVSS 10.0 remote code execution vulnerability in the Big-IP administrative interface. By July 3rd, 2020 NCC Group observed active exploitation.” reported NCC. “

“As of 18:24 on July 7, 2020 it has been publicly reported that the mitigation can be bypassed. Our data shows this bypass was first publicly exploited at 12:39 on July 7, 2020 (6 hours before).”

Threat actors exploited the CVE-2020-5902 flaw to obtain passwords, create web shells, and infect systems with various malware.

According to Bad Packets experts, hackers are scanning the Internet in the attempt to exploit the flaw.

Many of the targeted systems belong to government agencies, healthcare providers, educational organizations, and financial institutions.

Pierluigi Paganini

(SecurityAffairs – hacking, BIG-IP)

[adrotate banner=”5″]

[adrotate banner=”13″]