Two days after patches for critical F5 BIG-IP vulnerability were released, security researchers have started publicly posting proof-of-concept (PoC) exploits show how easy it is to exploit these devices.
F5 customers using BIG-IP devices and solutions include governments, Fortune 500 firms, banks, Internet services providers, and many consumer brands, including Microsoft, Oracle, and Facebook.
This vulnerability allows a remote attacker to access the Traffic Management User Interface (TMUI) of the BIG-IP application delivery controller (ADC) without authentication and perform remote code execution.
Exploiting a BIG-IP device would allow an attacker to gain full access to the system, export user credentials, and potentially traverse the device’s internal network.
“This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected,” F5’s advisory reads.
Due to the severity of this vulnerability, the US Cyber Command issued an alert strongly advising that users install the update and not postpone it until after the Fourth of July holidays.
F5 BIG-IP PoC exploits released and actively used
Today, numerous researchers have started to publicly post exploits for the F5 BIG-IP CVE-2020-5902 vulnerability to illustrate how easy it is to exfiltrate data and execute commands on vulnerable devices.
Another researcher has created a GitHub repository that lists PoCs to perform various tasks such as displaying the /etc/passwd file to access stored credentials or to view the device’s configuration file.
NCC Group’s Rich Warren has already started to see remote attacks attempting to exploit F5 BIG-IP devices.
If you are using F5 BIG-IP devices on your network, you must patch your devices now.
BIG-IP versions vulnerable to attacks (11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x) should be upgraded to a corresponding patched versions (18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206).
Cloud marketplaces (e.g., AWS, Azure, GCP, and Alibaba) users are advised to switch to BIG-IP Virtual Edition (VE) versions 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, or 184.108.40.206, if available.
Without a doubt, APT, state-sponsored actors, and ransomware operators will, if not already, use these vulnerabilities to try and breach your network. Patch now!
The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.