On July 1, F5 Networks revealed that there was a maximum CVSS 10.0 remote code execution (RCE) vulnerability in its BIG-IP administrative interface.
(CVE-2020-5902 was disclosed by F5 in in K52145254 ).
BIG-IP is a product suite widely used by blue chip financial services and tech firms, government agencies and more. It acts as a gateway to your data centre, handling network load balancing, SSL offloading, and more.
Its traffic management interface (TMUI) runs on self-IPs by default.
A large number of businesses appear to have exposed it to the internet when setting up VLANs for their public IPs, experts say.
The urgency of patching this cannot be understated. I worked for F5 for a decade; they power cell carriers, banks, Fortune 500 and many governments.
If deployed correctly the mgmt interface shouldn't be internet exposed but @binaryedgeio returns 14k hits for 'tmui' so YMMV 🤷♂️ https://t.co/IgKGgE7wBK
— Nate Warfield (@n0x08) July 2, 2020
The RCE reportedly gives root as administrator. It couldn’t get worse. (Anyone with network access to the Traffic Management User Interface through the BIG-IP management port, can execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.)
F5 Exploit: Snoop on Fortune 50 Traffic
As former F5 staffer Nate Warfield put it on Twitter: “A common use of their technology is SSL offloading; full compromise of a system could in theory allow someone to snoop on unencrypted traffic inside the device.”
Within three days the vulnerability was under active exploitation.
Ok, we are seeing active exploitation of CVE-2020-5902
Patch it today
— Rich Warren (@buffaloverflow) July 4, 2020
Security researchers say 8,460 F5 customers had the BIG-IP product internet-facing. These include some of the world’s biggest companies.
BIG-IP is, by all accounts, something of a major headache to patch, owing to its centrality to network infrastructure.
Now a growing number of security staff on the defensive side are seething over what they see as the excessively early publication of exploits by offensive security teams that allow bad actors to abuse the vulnerability.
In a timeline that captures how fast things can move, from a vendor disclosing a bug, to security researchers reverse-engineering the patch and working out how to attack the security flaw, NCC Group said by –
- 15:53 July 5 fully functional exploit payloads were shared on Twitter
- 17:00 July 5 reverse engineering analysis and example payloads were released on Github.
- 21:29 July 5 Metasploit exploit modules were made available.
- 02:26 July 6 Further exploits released on Github.
Sometimes I wonder if offensive security guys/girls are on the same side of the BlueTeam.
Today a popular offensive security framework played against us by publishing the exploit everyone was wanted, when the public exploit development wasn't so advanced.
— SwitHak (👁) (@SwitHak) July 5, 2020
As Warfield put it: “A ton of us spent the last 72 hours working hard to get notifications out to at risk orgs, then in a single self-glorifying act the playing field was tipped back to the skiddiez. By the ‘good guys’. Nice job. I’m sure red teams really needed this during a long weekend.”
The full F5 exploit is now public. Entire thing fits in a tweet. Consider exploitation ongoing (if you weren’t already).
This is an incident response, not a patching drill.
— Jason Kikta @ the Centre for Unilateral Analysis (@kikta) July 5, 2020
This is now, as as one networking security specialist put it, “incident response, not a patching drill”. It comes just a week after another CVSS 10 vulnerability in software from a vendor that is used as part of security infrastructure.
F5 said: “The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) Vulnerability in undisclosed pages. This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This issue is not exposed on the data plane; only the control plane is affected.
“F5 recommends upgrading to a fixed software version to fully mitigate this vulnerability. Temporary mitigations… and upgrade recommendations can be found in the security advisory.
For those napping, Palo Alto’s critical (CVSS 10) CVE-2020-2021 also needs patching.
See also: Urgent Call to Patch New Palo Alto Vulnerability: “Foreign APTs will Attempt Exploit Soon”