{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2020-031.pdf"
    },
    "title": "UPDATE: F5 Critical Vulnerability",
    "serial_number": "2020-031",
    "publish_date": "05-07-2020 06:37:00",
    "description": "A new vulnerability has been discovered in the configuration interface of the BIG-IP application delivery controller (ADC) used by some of the world's biggest companies. Attackers can run commands as an unauthorized user and completely compromise a system, including interception of controller application traffic. The vulnerability can be exploited remotely, and is already being actively exploited.",
    "url_title": "2020-031",
    "content_markdown": "---\ntitle: 'F5 Critical Vulnerability'\nversion: '1.1'\nnumber: '2020-031'\ndate: 'July 6, 2020'\n---\n\n_History:_\n\n* _05/07/2020 --- v1.0 -- Initial publication_\n* _06/07/2020 --- v1.1 -- Update related to existing exploits_\n\n# Summary\n\nA new vulnerability has been discovered in the configuration interface of the BIG-IP application delivery controller (ADC) used by some of the world's biggest companies. Attackers can run commands as an unauthorized user and completely compromise a system, including interception of controller application traffic. The vulnerability can be exploited remotely, and is already being actively exploited [1, 4].\n\n# Technical Details\n\nVulnerability, encoded as CVE-2020-5902, received a CVSS score of 10, indicating the highest degree of danger. To exploit it, an attacker needs to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration. The vulnerability is only exploitable if the management interface is exposed, which generally should not be the case for properly configured systems.\n\nBy exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution. The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network.\n\nRCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation [2].\n\nAlready numerous researchers have started to publicly post exploits for this vulnerability to illustrate how easy it is to exfiltrate data and execute commands on vulnerable devices [4]. **Active exploitation is ongoing**.\n\n# Products Affected\n\nThe Traffic Management User Interface (TMUI) of the BIG-IP versions [3]:\n\n- 15.0.0-15.1.0.3,\n- 14.1.0-14.1.2.5,\n- 13.1.0-13.1.3.3,\n- 12.1.0-12.1.5.1,\n- 11.6.1-11.6.5.1.\n\n# Recommendations\n\nF5 Networks has released a patch for this vulnerability. Depending on the version of the software, it should be immediately upgraded to the their respective builds:\n\n- 11.6.5.2,\n- 12.1.5.2,\n- 13.1.3.4,\n- 14.1.2.6,\n- 15.1.0.4.\n\nBecause there are already many exploits available and **the vulnerability is actively exploited**. CERT-EU highly recommends to patch this products as soon as possible.\n\n## Exploitation Detection\n\nTo check for exploitation, access logs to the TMUI interface should be investigated for the attempts. In particular, successful requests to `/tmui/login.jsp/..;/*` should be carefully investigated.\n\n## Workarounds\n\nIn case an immediate update is not possible, other recommendations are given in the F5 BIG-IP bulletin [3].\n\nAlso, to mitigate this vulnerability for affected F5 products, the management access to F5 products should only permitted over a secure network.\n\n\n# References\n\n[1] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902>\n\n[2] <https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/>\n\n[3] <https://support.f5.com/csp/article/K52145254>\n\n[4] <https://gist.github.com/ykoster/11148b1783b2205f9a4981b251e522a0>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>05/07/2020 --- v1.0 -- Initial publication</em></li><li><em>06/07/2020 --- v1.1 -- Update related to existing exploits</em></li></ul><h2 id=\"summary\">Summary</h2><p>A new vulnerability has been discovered in the configuration interface of the BIG-IP application delivery controller (ADC) used by some of the world's biggest companies. Attackers can run commands as an unauthorized user and completely compromise a system, including interception of controller application traffic. The vulnerability can be exploited remotely, and is already being actively exploited [1, 4].</p><h2 id=\"technical-details\">Technical Details</h2><p>Vulnerability, encoded as CVE-2020-5902, received a CVSS score of 10, indicating the highest degree of danger. To exploit it, an attacker needs to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration. The vulnerability is only exploitable if the management interface is exposed, which generally should not be the case for properly configured systems.</p><p>By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution. The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network.</p><p>RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation [2].</p><p>Already numerous researchers have started to publicly post exploits for this vulnerability to illustrate how easy it is to exfiltrate data and execute commands on vulnerable devices [4]. <strong>Active exploitation is ongoing</strong>.</p><h2 id=\"products-affected\">Products Affected</h2><p>The Traffic Management User Interface (TMUI) of the BIG-IP versions [3]:</p><ul><li>15.0.0-15.1.0.3,</li><li>14.1.0-14.1.2.5,</li><li>13.1.0-13.1.3.3,</li><li>12.1.0-12.1.5.1,</li><li>11.6.1-11.6.5.1.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>F5 Networks has released a patch for this vulnerability. Depending on the version of the software, it should be immediately upgraded to the their respective builds:</p><ul><li>11.6.5.2,</li><li>12.1.5.2,</li><li>13.1.3.4,</li><li>14.1.2.6,</li><li>15.1.0.4.</li></ul><p>Because there are already many exploits available and <strong>the vulnerability is actively exploited</strong>. CERT-EU highly recommends to patch this products as soon as possible.</p><h3 id=\"exploitation-detection\">Exploitation Detection</h3><p>To check for exploitation, access logs to the TMUI interface should be investigated for the attempts. In particular, successful requests to <code>/tmui/login.jsp/..;/*</code> should be carefully investigated.</p><h3 id=\"workarounds\">Workarounds</h3><p>In case an immediate update is not possible, other recommendations are given in the F5 BIG-IP bulletin [3].</p><p>Also, to mitigate this vulnerability for affected F5 products, the management access to F5 products should only permitted over a secure network.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/\">https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.f5.com/csp/article/K52145254\">https://support.f5.com/csp/article/K52145254</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://gist.github.com/ykoster/11148b1783b2205f9a4981b251e522a0\">https://gist.github.com/ykoster/11148b1783b2205f9a4981b251e522a0</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}