Two days after the patches for the critical F5 BIG-IP vulnerability were released, security researchers began publicly releasing proof of concept (PoC) exploits that show how easy it is to exploit these devices.
F5 customers using BIG-IP devices and solutions include governments, Fortune 500 companies, banks, Internet service providers, and many consumer brands, including Microsoft, Oracle, and Facebook.
On Friday, F5 revealed that they released patches for a critical 10/10 CVSSv3 vulnerability registered as CVE-2020-5902.
This vulnerability allows a remote attacker to access the BIG-IP Application Delivery Controller (ADC) Traffic Management User Interface (TMUI) without authentication and perform remote code execution.
Exploiting a BIG-IP device would allow an attacker to gain full access to the system, export user credentials, and potentially traverse the device’s internal network.
“This vulnerability allows unauthenticated attackers, or authenticated users, with network access to TMUI, through the BIG-IP management port and / or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and / or execute arbitrary Java code. This vulnerability can result in a total system compromise. The BIG-IP system in Appliance mode is also vulnerable. This problem is not exposed in the data plane; only the control plane is affected ” says the F5 notice.
Due to the severity of this vulnerability, the US Cyber Command issued an alert recommending that users install the update and not postpone it until after the July 4 holiday.
F5 BIG-IP PoC exploits released and actively used
Today, numerous researchers have begun publishing exploits for the F5 BIG-IP CVE-2020-5902 vulnerability to illustrate how easy it is to exfiltrate data and execute commands on vulnerable devices.
Another researcher has created a GitHub repository that lists PoCs for various tasks, such as displaying the / etc / passwd file to access stored credentials or to view the device configuration file.
NCC Group’s Rich Warren has already begun to see remote attacks attempting to exploit F5 BIG-IP devices.
If you are using F5 BIG-IP devices on your network, you should patch your devices now.
BIG-IP versions vulnerable to attack (11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x) should be updated to the corresponding patched versions (11.6.5.2, 12.1.5.2, 13.1 .3.4, 14.1.2.6, 15.1.0.4).
Users of cloud markets (eg AWS, Azure, GCP, and Alibaba) are encouraged to switch to BIG-IP Virtual Edition (VE) versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1. 2.6, 15.0.1.4, or 15.1.0.4, if available.
Undoubtedly, if not already done by APT, state-sponsored players and ransomware operators, will use these vulnerabilities to try to violate your network. Patch now!
