USCYBERCOM urgently recommends F5 customers to patch CVE-2020-5902 and 5903 NOW

InfoSec News

By William Knowles @c4i
Senior Editor
InfoSec News
July 6, 2020

Just in case you accidentally had your work phone and duty pager in a Faraday bag all July 4th holiday weekend long, you have one heckuva surprise waiting for you!

As F5 reminds everyone that 48 of Fortune 50 companies are F5 customers, F5 has published a security advisory warning to their customers to patch a critical flaw in their BIG-IP product and proof-of-concept attacks are already starting to show up on Twitter.

The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. (CVE-2020-5902)

Impact

This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.

Security Advisory Status

F5 Product Development has assigned IDs 895525, 900757, 895981, and 895993 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning.

Product Branch Versions known to be vulnerable Fixes introduced in Severity CVSSv3 score1 Vulnerable component or feature
BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM) 15.x 15.1.0 15.1.0.4 Critical 10.0 TMUI/Configuration utility
15.0.0 None
14.x 14.1.0 – 14.1.2 14.1.2.6
13.x 13.1.0 – 13.1.3 13.1.3.4
12.x 12.1.0 – 12.1.5 12.1.5.2
11.x 11.6.1 – 11.6.5 11.6.5.2
BIG-IQ Centralized Management 7.x None Not applicable Not vulnerable None None
6.x None Not applicable
5.x None Not applicable
Traffix SDC 5.x None Not applicable Not vulnerable None None

1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation F5 recommends upgrading to a fixed software version to fully mitigate this vulnerability. If you are leveraging public cloud marketplaces (AWS, Azure, GCP, and Alibaba) to deploy BIG-IP Virtual Edition (VE), F5 recommends upgrading to the latest releases of BIG-IP versions listed in the Fixes introduced in column subject to their availability on those marketplaces. If it is not possible to upgrade at this time, you can use the following sections as temporary mitigations:

All network interfaces To eliminate the ability for unauthenticated attackers to exploit this vulnerability, add a LocationMatch configuration element to httpd. To do so perform the following procedure: Note: Authenticated users will still be able to exploit the vulnerability, independent of their privilege level. Impact of workaround: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the TMOS Shell (tmsh) by entering the following command:tmsh
  2. Edit the httpd properties by entering the following command:edit /sys httpd all-properties
  3. Locate the include section and add the following:include ‘ <LocationMatch “.*\.\.;.*”> Redirect 404 / </LocationMatch> ‘
  4. Write and save the changes to the configuration file by entering the following commands:Esc :wq!
  5. Save the configuration by entering the following command:save /sys config
  6. Restart the httpd service by entering the following command:restart sys service httpd

Self IPs Block all access to the TMUI of your BIG-IP system via Self IPs. To do so, you can change the Port Lockdown setting to Allow None for each Self IP in the system. If you must open any ports, you should use Allow Custom, taking care to disallow access to TMUI. By default, TMUI listens on TCP port 443; however, beginning in BIG-IP 13.0.0, Single-NIC BIG-IP VE deployments use TCP port 8443. Alternatively, a custom port may be configured. Note: This prevents all access to the TMUI/Configuration utility via the Self IP. These changes may also impact other services. Before making changes to the configuration of your Self IPs, refer to the following:

Management interface To mitigate this vulnerability for affected F5 products, you should only permit management access to F5 products over a secure network. For more information about securing access to BIG-IP systems, refer to K13309: Restricting access to the Configuration utility by source IP address (11.x – 15.x) and K13092: Overview of securing access to the BIG-IP system. Note: Authenticated users accessing TMUI will always be able to exploit this vulnerability until a fixed release is installed.

Acknowledgements

F5 would like to acknowledge Mikhail Klyuchnikov of Positive Technologies for bringing this issue to our attention and for following the highest standards of coordinated disclosure.

 

06 July 2020


>>More