Critical Vulnerability in F5’s BIG-IP (CVE-2020–5902)
How to Detect and Mitigate CVE-2020–5902
The developers of BIG-IP have released a security advisory regarding CVE-2020–5902, a critical vulnerability affecting F5 Networks‘ BIG-IP multi-purpose networking devices. By supplying a maliciously crafted HTTP message to the server, attackers could arbitrarily read files and remotely execute code on the BIG-IP host.
What is Affected?
Vulnerable versions of BIG-IP include: 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, and 15.1.x.
Detection
BIG-IP customers can test for the presence of this vulnerability by sending the following maliciously crafted request to the system’s Traffic Manager User Interface (TMUI). This request will expose the BIG-IP host’s “/etc/passwd” file without authentication. In the following request, BIG IP customers should replace the <IP> portion of the URL with the IP address of the TMUI host.
https://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwdRemediation
Vulnerable versions are to be replaced by their respective patched versions (11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.1.0.4). Users of public cloud marketplaces such as AWS, Azure, GCP, and Alibaba are to use BIG-IP Virtual Edition (VE) versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, or 15.1.0.4, if available. A complete list of recommendations can be found in the F5 BIG-IP bulletin.
We will update this blog as new information is released, including vulnerability and exploit details, as well as updated, patched information.
Sign up to get our latest blogs.
Christopher Campbell is an Associate Security Analyst at Independent Security Evaluators, a firm of security specialists that provide a wide range of services including custom security assessments and software development. ISE also runs IoT Village, which hosts talks by expert security researchers who dissect real-world exploits and hacking contests consisting of off-the-shelf IoT devices.
Twitter: @ISESecurity
