Last week, we talked about an extremely dangerous RCE problem fixed in the configuration interface of the popular BIG-IP application delivery controller. This vulnerability was discovered by Positive Technologies experts, and received an identifier. CVE-2020-5902 and scored 10 points on the CVSSv3 scale (out of 10 possible), which corresponds to the highest level of danger.
BIG-IP multipurpose network devices can be configured to operate as traffic control systems, load balancers, firewalls, access gateways, and so on. These devices are one of the most popular network products today and are used in many of the largest and most important networks. So, BIG-IP devices work in government networks, in the networks of Internet providers, in cloud data centers, as well as in many corporate networks.
By exploiting a bug found by experts, an attacker is able to execute commands on behalf of an unauthorized user and completely compromise the system, for example, intercept the traffic of web resources controlled by the controller. The attack can be implemented remotely.
Positive Technologies analysts wrote that as of the end of June 2020, there were over 8,000 vulnerable devices accessible from the Internet in the world, 40% of them in the USA, 16% in China, 3% in Taiwan, 2.5% each – in Canada and Indonesia. In Russia, less than 1% of vulnerable devices were detected.
The vulnerability attracted the attention of many information security professionals, and because of its seriousness, even the US Cyber Command issued a warning, urging everyone to install patches as soon as possible.
URGENT: Patching CVE-2020-5902 and 5903 should not be postponed over the weekend. Remediate immediately. https://t.co/UBKECuN7Vv
– USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) July 3, 2020
Now NCC Group specialist Rich Warren has warned that the vulnerability is already under attack. The specialist owns several honeypot baits disguised as BIG-IP, and, according to him, attacks on them began a few hours after the publication of the US Cyber Command warning. Attacks came from at least five different IP addresses: hackers tried to steal administrator passwords from vulnerable devices.
First exploits coming from 🇮🇹 pic.twitter.com/HAySCfh79y
– Rich Warren (@buffaloverflow) July 4, 2020
The fact is that information security researchers have already begun to publish exploits for the CVE-2020-5902 vulnerability, trying to demonstrate how easily this bug is used, and how quickly it can be used to steal data or execute arbitrary commands.
A repository has already appeared on GitHub, where PoC has been collected to perform various tasks, including displaying the / etc / passwd file to access the stored credentials, as well as viewing the configuration file of vulnerable devices.
TMSH access in a matter of minutes 😱 (CVE-2020-5902). Of course this does require access to the management interface. pic.twitter.com/FcR2zRZBG9
– Yorick Koster (@yorickkoster) July 5, 2020
Researchers note that the scale of this problem is largely similar to the RCE vulnerabilities in Pulse Secure VPN and Citrix network gateways. Such bugs are very popular with cybercriminals and are usually used by them to gain a foothold in corporate networks (after that, hackers deploy backdoors in corporate networks, steal confidential files or deploy extortion software). For example, hacking groups REvil, Maze and Netwalker often rely on such vulnerabilities, which allows them to compromise the largest companies in the world.