Proof-of-Concept Exploits Released for Critical F5 BIG-IP Vulnerabilities

This alert is being provided for informational purposes and for potential use to protect systems, networks, and data against this cyber threat at the sole discretion of recipients. As the cyber threat landscape is ever-evolving and attribution can be difficult, the NTIC Cyber Center makes no guarantees of the accuracy of this information during and after the dissemination of this alert as indicators of compromise (IoCs) and adversary tactics, techniques, and procedures (TTPs) may change. Recipients are urged to use caution before implementing any changes to systems, software, and procedures.

SUMMARY

On July 3, 2020, the US Cyber Command published an alert on social media urging users of the F5 BIG-IP Traffic Management User Interface (TMUI) to patch systems immediately due to flaws that threat actors may exploit to compromise systems. F5 customers include governments, Fortune 500 firms, banks, service providers, and technology enterprises. The first flaw, CVE-2020-5902, rated as critical, is a remote code execution (RCE) vulnerability that allows unauthenticated users through the BIG-IP management port and/or Self IPs to execute remote system commands, create or delete files, disable services, and/or execute remote Java code via tainted HTTP requests. The second flaw, CVE-2020-5903, is a cross-site scripting (XSS) vulnerability that allows threat actors with administrator privileges to fully compromise systems via remote JavaScript code execution. There are currently no reports of threat actors exploiting these vulnerabilities in the wild; however, security researchers have begun to publicly post proof-of-concept (PoC) exploits to demonstrate how easy it is to exfiltrate data and remotely execute commands on affected devices.

BIG-IP versions that are vulnerable to attacks (11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x) should be upgraded to a corresponding patched version (11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.1.0.4).

Cloud marketplace users are advised to switch to BIG-IP Virtual Edition versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, or 15.1.0.4, if available.

RECOMMENDATIONS

The NTIC Cyber Center recommends all affected F5 BIG-IP administrators review the following F5 Security Advisories here and here, and patch all affected systems as soon as possible. Additionally, F5 provides mitigation measures for customers unable to immediately patch systems.

Read more at National Capital Region Threat Intelligence Consortium

(Visited 192 times, 1 visits today)

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply

Latest from Cybersecurity

Go to Top
X
X