Last week, F5 told customers that a BIG-IP configuration utility called the Traffic Management User Interface (TMUI) is affected by a critical weakness in remote code execution, the exploitation of which may lead to “full system compromise.” The bug is monitored as CVE-2020-5902, and the cybersecurity firm Optimistic Technologies disclosed it to F5. The vendor has released patches for versions impacted. “Remote attackers with access to the BIG-IP configuration utility could execute remote code without authorization by exploiting this vulnerability,” explained Mikhail Klyuchnikov, a researcher at Positive Technologies. “The attacker can build or delete files, disable services, intercept information, execute arbitrary system commands and Java code, thoroughly compromise the system and seek additional targets, such as the internal network. In this scenario, RCE stems from security vulnerabilities in multiple elements, such as one that enables traversal manipulation of folders. Positive Technologies reported that it had found more than 8,000 compromised devices that were directly exposed to the internet, but that most businesses would not leave the affected web-accessible configuration interface. Just days after the CVE-2020-5902 disclosure, researchers began releasing proof-of – concept (PoC) exploits to read arbitrary files and execute remote code. Others have released scanners that test the vulnerability of a specified BIG-IP installation to attacks, and there is even a Metasploit module that helps to obtain a root shell. A video published by DeeLMind demonstrates how easy it is to exploit this vulnerability when exposing the BIG-IP configuration interface.
NCC Group’s Rich Warren announced on Saturday that the firm has already begun to see attempts to exploit CVE-2020-5902. The first attacks that NCC witnessed read files and extracted encrypted passwords but did not attempt remote execution of code and delivery of binary payload. The U.S. Cyber Command has instructed organizations to submit the fixes to CVE-2020-5902 and CVE-2020-5903 immediately, another weakness found by Optimistic Technology that can be exploited to gain complete control of a BIG-IP.
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) July 3, 2020