CVE-2020-5903 Vulnerabilities in F5’s BIG-IP Allow Full System Compromise

Last week, F5 Networks, one of the world’s largest provider of application delivery networking products, released a security advisory to warn their customers about a dangerous vulnerability that cybercriminals could start exploiting in the near future if it wasn’t already exploiting in the wild. 

The security flaw was discovered in multi-purpose networking devices (BIP-IP) that can work as load balancers, SSL middleware, web traffic shaping systems, access gateways, rate limiters, or firewalls. These devices are often used by government organizations, Telecoms, ISPs, cloud computing data centers, and more. Almost all companies mentioned in the Fortune 50 list use BIG-IP devices on their networks.

CVE-2020-5902 is a remote code execution vulnerability in BIG-IP’s management interface – TMUI, also referred to as the Configuration utility. This security flaw can be exploited over the internet by unauthenticated adversaries to gain access to the TMUI component. Successful exploitation of CVE-2020-5902 enables attackers to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability allows adversaries to gain full control over the attacked BIG-IP device.

In regards to RCE CVE-2020-5903 reported on Friday, taking into account the threat level of this vulnerability and delays in the upgrade process specific to Enterprise production environments, we have allocated our TDM content development team resources for the weekend.

We are glad to report that Sigma rule is developed for the detection of this threat. Rule is available at the TDM platform here: 

https://tdm.socprime.com/tdm/info/a3bYpIF6od6C

Detection rules were developed within 4 days of vulnerability disclosure:  

https://twitter.com/cyb3rops/status/1279743433423364096

https://support.f5.com/csp/article/K43638305

The rule has translations for the following platforms:

SIEM: ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio 

EDR: Carbon Black, Elastic Endpoint

NTA: Corelight

MITRE ATT&CK:

Tactics: Initial Access

Techniques: Exploit Public-Facing Application (T1190)

Dependencies: to detect external exploitation attempts F5 device internal httpd logs are required, to detect internal exploitation attempts rule is using proxy logs.

Currently, there are already several PoCs for CVE-2020-5903 (1, 2, 3, 4), so it is vital that you install the necessary update as soon as possible and use the detection rules to make sure your organization’s network is secure.

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.