The vulnerability, which received the highest possible severity score, leaves thousands of devices at risk of being taken over by remote attackers. A patch is available.
F5 Networks, one of the world’s leading providers of enterprise networking equipment, has recently published a security advisory about a critical vulnerability that impacts its BIG-IP multi-purpose networking devices and “may result in complete system compromise”. The company has also released a patch plugging the security hole, all the while multiple security experts report that attackers are already deploying exploits targeting the flaw.
Evidence of miscreants actively trying to exploit the vulnerability was recorded as early as July 4th, with the first attempts coming out of Italy. NCC Group also recorded increased activity over the next few days on the honeypots that it’d set up to bait potential attackers.
Other researchers have publicly shared proof-of-concept (PoC) exploits for the vulnerability, showing how easy it is to compromise unpatched devices.
TMSH access in a matter of minutes 😱 (CVE-2020-5902). Of course this does require access to the management interface. pic.twitter.com/FcR2zRZBG9
— Yorick Koster (@yorickkoster) July 5, 2020
Indexed as CVE-2020-5902, the remote execution code (RCE) vulnerability in the Traffic Management User Interface (TMUI) of a line of BIG-IP products holds the “perfect” score of 10.0 on the Common Vulnerability Scoring System (CVSS) severity scale. According to Mikhail Klyuchnikov, a researcher at Positive Technologies who discovered the critical flaw, a hacker with access to the BIG-IP configuration utility could exploit the device remotely without authentication.
“The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network. RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation,” he added.
Klyuchnikov also uncovered another, though less severe, vulnerability in BIG-IP that earned a severity score of “only” 7.5. Tracked as CVE-2020-5903, the cross-site scripting vulnerability in the BIG-IP configuration interface could allow a cybercriminal to run malicious code with the same rights as a logged-in user. Successful exploitation of the flaw could even lead to a full compromise of the device.
While F5 Networks disclosed the vulnerabilities and released patches last Wednesday, many devices remain unpatched. The United States Cyber Command also issued an alert about the flaws and urged everyone to install the updates post-haste. F5 Networks counts 48 out of the Fortune 50 among its clients and its devices are used by governments as well.
URGENT: Patching CVE-2020-5902 and 5903 should not be postponed over the weekend. Remediate immediately. https://t.co/UBKECuN7Vv
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) July 3, 2020
At the time of the warning, a Shodan search turned up more than 8,000 BIG-IP devices connected to the internet. If your company uses any of the affected devices, you should patch them immediately. F5’s security advisories for both CVE-2020-5902 and CVE-2020-5903 feature the full list of affected devices and remediation steps.