In a recent security update, the F5 networking equipment has been found vulnerable to Remote Code Execution (RCE) attack. The company provides a series of networking equipment collectively called BIG-IP devices. These devices are used as load balancers for servers handling requests for various applications. The affected BIG-IP devices include the following IP ranges.
According to the Common Vulnerability Scoring System (CVSS), the CVE-2020-5902 has a severity index of 10/10. To understand the vulnerability, we need to grasp some information about the F5’s BIG-IP and Traffic Management User Interface (TMUI).
WHAT is F5’s BIG-IP?
F5 is a multinational enterprise that mainly offers security, performance, and availability solutions for various web applications. BIG-IP was one of the startup projects of F5 Technologies offering load balancing services for networks and applications through virtual IP (proxy) concept. In layman term, BIG-IP is a specialized proxy server that resides between users and applications. Users access the desired applications through BIG-IP proxy. With the advancement in technology, the idea of BIG-IP has evolved into a software and hardware management solution, providing services like intelligent traffic management, high availability of applications, access control, security, and optimization. The following list of modules can be collectively called BIG-IP solutions for hardware and software offered by F5 Technologies.
1) Local Traffic Manager (LTM)
The LTM offers network traffic management solutions to enhance the performance and security of the applications. Think of different servers operating in a network. The LTM can help network traffic to choose the servers based on their availability, performance, and security.
2) Global Traffic Manager (GTM)
Similar to LTM, GTM has operational capabilities for global applications. The module enhances global applications’ performance and security through DNS management.
3) Access Policy Manager (APM)
The APM is an access control service that manages users’ access to applications based on their roles and requirements.
4) Application Security Manager (ASM)
The ASM provides security solutions for web applications through the deployment of web application firewalls.
5) Advanced Firewall Manager (AFM)
The AFM is a layer-specific security solution for applications. The module provides firewall security at Layer 3 (Network) and Layer 4 (Transport) against Denial of Service attacks.
6) Secure Web Gateway (SWG) Services
The SWG helps in defining and implementing web access policies for users. The module can act as a filter to allow or block web services based on the pre-defined access policy.
The TMUI is a configuration interface as shown in the following screenshot. TMUI components reside on a Linux host server.
BIG-IP & TMUI VULNERABILITY
The following figure presents a simple BIG-IP architecture where users can access the applications through BIG-IP proxy. The administrative/configuration tasks are performed with the help of Traffic Management User Interface (TMUI) which is also a part of the BIG-IP ecosystem. The CVE-2020-5902 lies in the TMUI part, also known as configuration utility.
The vulnerability can be exploited by sending a crafted HTTP request to the TMUI server.
AFFECTED BIG-IP DEVICES
The following table represents the list of BIG-IP devices that are affected due to CVE-2020-5902. The affected devices are found in both physical and virtual environments providing services like access management, content delivery control, and application gateways.
|BIG-IP VERSIONS||AFFECTED MODULES|
|11.6.1||126.96.36.199||LTM, GTM, AAM, AFM, ASM, DNS, Analytics, APM, PEM, FPS, Link Controller|
|12.1.0||188.8.131.52||LTM, GTM, AAM, AFM, ASM, DNS, Analytics, APM, PEM, FPS, Link Controller|
|13.1.0||184.108.40.206||LTM, GTM, AAM, AFM, ASM, DNS, Analytics, APM, PEM, FPS, Link Controller|
|14.1.0||220.127.116.11||LTM, GTM, AAM, AFM, ASM, DNS, Analytics, APM, PEM, FPS, Link Controller|
|15.0.0||18.104.22.168||LTM, GTM, AAM, AFM, ASM, DNS, Analytics, APM, PEM, FPS, Link Controller|
- The vulnerability can lead attackers to steal secret credentials.
- The administrative access to BIG-IP devices is possible with the 2020-5902 exploit.
- Attackers can use the RCE vulnerability as a vector or entry point to break into other organizations’ network systems.
- Hackers can execute arbitrary Java codes or system commands.
- Deletion, modification, or addition of new files is possible for the CVE-2020-5902 affected systems.
CVE-2020-5902 IoC DETECTION TOOL
The F5 security team has introduced a Python script for the customers to check if their systems are compromised. The script can be downloaded from the following Github resource and should only be run on the F5 advanced shell (bash).
The script is designed in accordance with the BIG-IP architecture to find the potential indicators of Compromise (IoCs) at specific locations/paths. The following screenshot shows all the scanning options available in the CVE-2020-5902 IoC detection tool.
Note: there is also the possibility of no traces found due to systems’ overwriting or footprints covered by the hackers. Therefore, the users are advised to don’t completely rely on the script and follow all possible mitigation/prevention measures.
TEMPORARY CONFIGURATION MITIGATIONS
The F5 security advisory recommends the following temporary mitigation options for the customers with no quick update solutions.
1) Restrict Access
The first quick temporary solution to mitigate the RCE is to block the BIG-IP access for authenticated and unauthenticated attackers using the following settings.
1.1) Self IPs
The Self IPs allow blocking all access to the Configuration utility by changing the Port Lockdown setting to Allow None. Any specific port can then be opened using the Allow Custom option.
1.2) Management Interface
The management interface vulnerability can be mitigated by allowing F5 product access over a secure network.
2) TMUI HTTPD
The TMUI HTTPD option is to prevent the unauthenticated attackers from leveraging the known exploits. The remedy requires adding the LocationMatch configuration element to the HTTPD using the following code.
1. First off, sign in to the TMOS Shell using the following command.
2. In the next step, enable the VI editor by editing the HTTPD properties using the following command.
edit /sys httpd all-properties
3. Locate the line stating include none and replace the text with the following code.
include ' <LocationMatch ";"> Redirect 404 / </LocationMatch> <LocationMatch "hsqldb"> Redirect 404 / </LocationMatch> '
4. Save the changes and restart the HTTPD service.
The CVE-2020-5902 is a dangerous vulnerability that can take some time to resolve. Besides the F5 Technologies’ recommendations, the customers must follow the basics of Cyber-defense, such as updating the compromised versions of software, system hardening, and passwords update.