Positive Technologies expert Mikhail Klyuchnikov discovered a critical vulnerability in the configuration interface of the popular BIG-IP application delivery controller, which is used by the largest companies in the world. By exploiting this bug, an attacker could execute commands on behalf of an unauthorized user and completely compromise the system, for example, intercept the traffic of web resources controlled by the controller. The attack could be implemented remotely.
Positive Technologies analysts estimated that at the end of June 2020, there were over 8,000 vulnerable devices accessible from the Internet in the world, 40% of them in the USA, 16% in China, 3% in Taiwan, 2.5% each Canada and Indonesia. In Russia, less than 1% of vulnerable devices were detected.
Detected vulnerability received identifier CVE-2020-5902 and scored 10 points on the CVSS scale, which corresponds to the highest level of danger. To exploit the vulnerability, the attacker must send a specially crafted HTTP request to the server where the Traffic Management User Interface (TMUI) is located, also known as the “BIG-IP system configuration utility”.
“This vulnerability could allow a remote attacker, including one who did not authenticate but has access to the BIG-IP configuration utility, to execute arbitrary code in software (RCE). As a result, the attacker will be able to create or delete files, disable services, intercept information, execute arbitrary system commands and arbitrary Java code, completely compromise the system and develop an attack, for example, on the internal segment of the network, ”said Mikhail Klyuchnikov. – RCE is caused by a combination of security flaws in several system components (for example, going beyond the catalog). Companies that have the F5 BIG-IP web interface can be found in special search engines such as Shodan, but it should be noted that not all user companies can access the required interface from the global network. ”
To fix the vulnerability, it is necessary to update the system to the latest version: vulnerable versions of BIG-IP (11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x) should be replaced with versions in which the vulnerability is fixed ( BIG-IP 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52). For users of public cloud marketplaces (AWS, Azure, GCP and Alibaba), you must use the BIG-IP Virtual Edition versions (184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124 or 126.96.36.199), provided that they are available in these markets . Other recommendations can be found in the official F5 BIG-IP Security Bulletin.