F5 patches vulnerability that received a CVSS 10 severity score


Image: ZDNet

F5 Networks, one of the world’s largest provider of enterprise networking gear, has published a security advisory this week warning customers to patch a dangerous security flaw that is very likely to be exploited.

The vulnerability impacts the company’s BIG-IP product. These are multi-purpose networking devices that can work as web traffic shaping systems, load balancers, firewalls, access gateways, rate limiters, or SSL middleware.

BIP-IP is one of the most popular networking products in use today. They are used in government networks all over the globe, on the networks of internet service providers, inside cloud computing data centers, and widely across enterprise networks.

On its website, F5 says its BIG-IP devices are used on the networks of 48 companies included in the Fortune 50 list.

CVE-2020-5902

Tracked as CVE-2020-5902, the BIG-IP bug was found and privately reported to F5 by Mikhail Klyuchnikov, a security researcher at Positive Technologies.

The bug is a so-called “remote code execution” vulnerability in BIG-IP’s management interface, known as TMUI (Traffic Management User Interface).

Attackers can exploit this bug over the internet to gain access to the TMUI component, which runs on top of a Tomcat server on BIG-IP’s Linux-based operating system.

Hackers don’t need valid credentials to attack devices, and a successful exploit can allow intruders to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code — and eventually lead to attackers gaining full control over the BIG-IP device.

The vulnerability is so dangerous that it received the rare 10 out of 10 score on the CVSSv3 vulnerability severity scale. This score means the security bug is easy to exploit, automate, can be used over the internet, and doesn’t require valid credentials or advanced coding skills to take advantage of.

As a coincidence, this was the second 10/10 CVSS bug in a networking device disclosed this week, after a similar critical bug was revealed to impact Palo Alto Networks VPN and firewall devices on Monday.

Need for urgent patching

US Cyber Command issued a warning to the private and government sector this week to patch the Palo Alto bug — as they expected that foreign state hackers would attempt to exploit the vulnerability.

No official warning was issued by a US cyber-security agency, but the F5 bug is no less severe and just as dangerous as the Palo Alto one.

“The urgency of patching this [bug] cannot be understated,” said on Twitter this week Nate Warfield, a former F5 Networks engineer, and currently a security researcher at Microsoft.

“A common use of their technology is SSL offloading,” he added. “Full compromise of a system could, in theory, allow someone to snoop on unencrypted traffic inside the device.

“Their [management] OS is Linux based, and like most ADCs (application delivery controllers), they are deployed in core, high-access parts of networks.”

Currently, according to a Shodan search, there are around 8,400 BIG-IP devices connected online.

At the time of writing, several companies and security researchers in the cyber-security community have told ZDNet that they have not detected any attacks targeting these devices; but they fully expect attacks to begin soon, especially if a proof-of-concept exploit code is shared publicly online.

The F5 security for the CVE-2020-5902 BIG-IP TMUI RCE is available here, with information on vulnerable firmware versions and patches.