US CISA warns of attacks exploiting CVE-2020-5902 flaw in F5 BIG-IP

The U.S. CISA is warning of the active exploitation of the unauthenticated remote code execution CVE-2020-5902 vulnerability affecting F5 Big-IP ADC devices.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about the active exploitation of the unauthenticated remote code execution (RCE) CVE-2020-5902 vulnerability affecting F5 Big-IP ADC devices.

The alert includes additional mitigations and detection measures to determine if a system may have been compromised and include info recover after attacks that exploited the vulnerability.

“CISA expects to see continued attacks exploiting unpatched F5 BIG-IP devices and strongly urges users and administrators to upgrade their software to the fixed versions. CISA also advises that administrators deploy the signature included in this Alert to help them determine whether their systems have been compromised.” reads the alert published by CISA.

“This Alert also provides additional detection measures and mitigations for victim organizations to help recover from attacks resulting from CVE-2020-5902. CISA encourages administrators to remain aware of the ramifications of exploitation and to use the recommendations in this alert to help secure their organization’s systems against attack.”

Early June, researchers at F5 Networks addressed the CVE-2020-5902 vulnerability, it resides in undisclosed pages of Traffic Management User Interface (TMUI) of the BIG-IP product.

The BIG-IP product is an application delivery controller (ADC), it is used by government agencies and major business, including banks, services providers and IT giants like Facebook, Microsoft and Oracle.

F5 Networks says the BIG-IP devices are used on the networks of 48 companies included in the Fortune 50 list.

Immediately after the disclosure of the issue, the US Cyber Command posted a message on Twitter urging organizations using the F5 product to immediately patch their installs.

The vulnerability could be exploited by attackers to gain access to the TMUI component to execute arbitrary system commands, disable services, execute arbitrary Java code, and create or delete files, and potentially take over the BIG-IP device

The CVE-2020-5902 vulnerability received a CVSS score of 10, this means that is quite easy to exploit. The issue could be exploited by sending a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

Immediately after the public disclosure of the flaw, that several proof-of-concept (PoC) exploits have been released, some of them are very easy to use.

A few days after the disclosure of the vulnerability in the F5 Networks BIG-IP product threat actors started exploiting it in attacks in the wild. Threat actors exploited the CVE-2020-5902 flaw to obtain passwords, create web shells, and infect systems with various malware.

According to Bad Packets experts, hackers are scanning the Internet in the attempt to exploit the flaw.

Many of the targeted systems belong to government agencies, healthcare providers, educational organizations, and financial institutions.

F5 has released security updates to address the issue along with some mitigations that should prevent exploitation.

Security researchers Rich Mirch and Chase Dardaman from Critical Start, devised a bypass method for one of the mitigations proposed by F5.

Experts from CISA have observed scanning and reconnaissance, and of course, they also confirmed several compromises, within a few days of F5’s patch release for the flaw.

“As early as July 6, 2020, CISA has seen broad scanning activity for the presence of this vulnerability across federal departments and agencies—this activity is currently occurring as of the publication of this Alert.” continues the alert.

CISA is currently investigating potential compromise in multiple sectors with the support of several entities, it confirmed two compromises.

While investigating potential compromises resulting from CVE-2020-5902, CISA was able to confirm successful attacks against two targets.

Administrators are recommended to use F5’s CVE-2020-5902 IoC Detection Tool to detect potential compromise within their infrastructure.

Below the list of recommendations for the organizations to mitigate the exposure to attacks exploiting the CVE-2020-5902 vulnerability:

• Quarantine or take offline potentially affected systems
• Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections
• Deploy a CISA-created Snort signature to detect malicious activity (available in the alert under Detection Methods)

In case organizations find evidence of CVE-2020-5902 exploitation, they are urged to implement the following recovery measures for the compromised systems:

• Reimaging compromised hosts
• Provisioning new account credentials
• Limiting access to the management interface to the fullest extent possible
• Implementing network segmentation

“CISA expects to see continued attacks exploiting unpatched F5 BIG-IP devices and strongly urges users and administrators to upgrade their software to the fixed versions,” the agency concludes.

“CISA also advises that administrators deploy the signature included in this Alert to help them determine whether their systems have been compromised.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2020-5902)

[adrotate banner=”5″]

[adrotate banner=”13″]