Attackers are actively trying to exploit CVE-2020-5902, a critical vulnerability that affects F5 Networks BIG-IP multipurpose network devices, to install coin miners, IoT malware, or to remove administrator credentials from hacked devices.
About CVE-2020-5902
CVE-2020-5902 is a critical remote code execution vulnerability in the configuration interface (also known as Traffic Management User Interface – TMUI) of BIG-IP devices used by some of the world’s largest companies.
It was discovered in conjunction with CVE-2020-5903, a less critical XSS vulnerability that allows malicious JavaScript to run as a registered user on BIG-IP devices, by researcher Mikhail Klyuchnikov of Positive Technologies.
To exploit CVE-2020-5902, an attacker must send a specifically designed HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.
“By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution. The attacker can create or delete files, disable services, intercept information, execute arbitrary system commands and Java code, completely compromise the system and pursue additional objectives, such as the internal network, “said the researcher.
“RCE in this case is the result of security flaws in multiple components, such as one that allows cross-directory exploitation. This is particularly dangerous for companies whose F5 BIG-IP web interface is featured in search engines like Shodan. Fortunately, most companies that use the product do not allow access to the interface from the Internet. “
Shodan shows around 8,500 vulnerable devices available on the Internet, almost 40% of which are in the U.S.
Active exploitation
F5 Networks issued security warnings for both flaws last Wednesday, just as the United States looked forward to the long weekend of Independence Day.
Both the company and the United States Cyber Command urged administrators on Friday to check whether their F5 BIG-IP web interfaces were exposed on the Internet and to implement the patches offered before the weekend begins.
At the time, there was no public exploit available for CVE-2020-5902, but some were soon available. A Metasploit module is also in process.
Finally, the opportunistic massive scan for vulnerable devices started over the weekend, and the attacks began to be exploited by various attackers:
Starting this morning, we are seeing an increase in RCE attempts against our honeypots, using a combination of the Metasploit public module or the like via Python. Also a huge wave of attacks coming from 🇨🇳 that ping back through:
curly
. .dnslog[.]cn – Rich Warren (@buffaloverflow) July 6, 2020
What to do?
According to F5 Networks, 48 of Fortune’s 50 companies use BIG-IP network devices such as server load balancers, application delivery controllers, gateways, etc. They are used by ISPs and governments.
As previously noted, F5 Networks released fixed software versions last week, as well as helpful risk mitigation tips if it’s impossible to patch right now.
For organizations that didn’t notice any of it, Microsoft cyber security professional Kevin Beaumont offers the following tips:
Therefore, people are removing secrets (credentials) from BIG-IP boxes in an automated way. If you don’t patch before the weekend, I think you’ll need to rotate the credits and check the logs after patching when you get back to work.
– Kevin Beaumont (@GossiTheDog) July 5, 2020
SANS ISC manager Dider Stevens has also provided helpful links and tips.
