On July 1, F5 Networks revealed that there was a maximum CVSS 10.0 remote code execution (RCE) vulnerability in its BIG-IP administrative interface.

(CVE-2020-5902 was disclosed by F5 in in K52145254 ).

BIG-IP is a product suite widely used by blue chip financial services and tech firms, government agencies and more. It acts as a gateway to your data centre, handling network load balancing, SSL offloading, and more.

Its traffic management interface (TMUI) runs on self-IPs by default.

A large number of businesses appear to have exposed it to the internet when setting up VLANs for their public IPs, experts say.

The RCE reportedly gives root as administrator. It couldn’t get worse. (Anyone with network access to the Traffic Management User Interface through the BIG-IP management port, can execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.)

F5 Exploit: Snoop on Fortune 50 Traffic

As former F5 staffer Nate Warfield put it on Twitter: “A common use of their technology is SSL offloading; full compromise of a system could in theory allow someone to snoop on unencrypted traffic inside the device.”

Within three days the vulnerability was under active exploitation.

Security researchers say 8,460 F5 customers had the BIG-IP product internet-facing. These include some of the world’s biggest companies.

BIG-IP is, by all accounts, something of a major headache to patch, owing to its centrality to network infrastructure.

Now a growing number of security staff on the defensive side are seething over what they see as the excessively early publication of exploits by offensive security teams that allow bad actors to abuse the vulnerability.

In a timeline that captures how fast things can move, from a vendor disclosing a bug, to security researchers reverse-engineering the patch and working out how to attack the security flaw, NCC Group said by –

As Warfield put it: “A ton of us spent the last 72 hours working hard to get notifications out to at risk orgs, then in a single self-glorifying act the playing field was tipped back to the skiddiez. By the ‘good guys’. Nice job. I’m sure red teams really needed this during a long weekend.”

This is now, as as one networking security specialist put it, “incident response, not a patching drill”. It comes just a week after another CVSS 10 vulnerability in software from a vendor that is used as part of security infrastructure.

F5 said: “The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) Vulnerability in undisclosed pages. This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This issue is not exposed on the data plane; only the control plane is affected. 

“F5 recommends upgrading to a fixed software version to fully mitigate this vulnerability. Temporary mitigations…  and upgrade recommendations can be found in the security advisory

For those napping, Palo Alto’s critical (CVSS 10) CVE-2020-2021 also needs patching.

See also: Urgent Call to Patch New Palo Alto Vulnerability: “Foreign APTs will Attempt Exploit Soon”