This alert is being provided for informational purposes and for potential use to protect systems, networks, and data against this cyber threat at the sole discretion of recipients. As the cyber threat landscape is ever-evolving and attribution can be difficult, the NTIC Cyber Center makes no guarantees of the accuracy of this information during and after the dissemination of this alert as indicators of compromise (IoCs) and adversary tactics, techniques, and procedures (TTPs) may change. Recipients are urged to use caution before implementing any changes to systems, software, and procedures.
SUMMARY
On July 3, 2020, the US Cyber Command published an alert on social media urging users of the F5 BIG-IP Traffic Management User Interface (TMUI) to patch systems immediately due to flaws that threat actors may exploit to compromise systems. F5 customers include governments, Fortune 500 firms, banks, service providers, and technology enterprises. The first flaw, CVE-2020-5902, rated as critical, is a remote code execution (RCE) vulnerability that allows unauthenticated users through the BIG-IP management port and/or Self IPs to execute remote system commands, create or delete files, disable services, and/or execute remote Java code via tainted HTTP requests. The second flaw, CVE-2020-5903, is a cross-site scripting (XSS) vulnerability that allows threat actors with administrator privileges to fully compromise systems via remote JavaScript code execution. There are currently no reports of threat actors exploiting these vulnerabilities in the wild; however, security researchers have begun to publicly post proof-of-concept (PoC) exploits to demonstrate how easy it is to exfiltrate data and remotely execute commands on affected devices.
BIG-IP versions that are vulnerable to attacks (11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x) should be upgraded to a corresponding patched version (11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.1.0.4).
Cloud marketplace users are advised to switch to BIG-IP Virtual Edition versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, or 15.1.0.4, if available.
RECOMMENDATIONS
The NTIC Cyber Center recommends all affected F5 BIG-IP administrators review the following F5 Security Advisories here and here, and patch all affected systems as soon as possible. Additionally, F5 provides mitigation measures for customers unable to immediately patch systems.
Read more at National Capital Region Threat Intelligence Consortium