F5 patches a critical Remote Code Execution (RCE) vulnerability in its undisclosed pages of Traffic Management User Interface (TMUI) of the BIG-IP application delivery controller (ADC)
F5 patches a critical Remote Code Execution (RCE) vulnerability in its undisclosed pages of Traffic Management User Interface (TMUI) of the BIG-IP application delivery controller (ADC), that puts many of the world’s biggest companies at risk.
The BIG-IP product is an application delivery controller (ADC), used by major businesses, including banks, service providers and IT giants like Facebook, Microsoft and Oracle. They are also used in government networks all over the globe, on the networks of internet service providers, inside cloud computing data centres, and widely across enterprise networks.
F5 Networks says the BIG-IP devices are used on the networks of 48 companies included in the Fortune 50 list.
The vulnerability impacts the company’s BIG-IP application delivery controller (ADC) and was privately reported by Mikhail Klyuchnikov from Positive Technologies.
The vulnerability is tracked as CVE-2020-5902 and F5 assigned it with a maximum severity of 10/10 CVSSv3 rating. By exploiting this severity, attackers could perform remote code execution with access to the BIG-IP configuration utility cloud, without authorization.
CVE-2020-5902 enables unauthenticated attackers or validated users to create or delete files, intercept information, run arbitrary system commands and Java code, disable services, and/or execute arbitrary Java code through the BIG-IP management port and/or Self IPs.
To exploit this security issue, attackers with access to the BIG-IO configuration utility have to send maliciously crafted HTTP requests to servers hosting Traffic Management User Interface (TMUI) for BIG-IP configuration.
Successful exploitation of the vulnerability could lead to full system compromise, including the interception of controller application traffic and lateral movement to further targets on the internal network.
According to a Shodan search, there are more than 8,400 BIG-IP devices connected online, out of which 40% of the devices are based in the US, 16% are in China, 3% in Taiwan and 2.5% in Canada and Indonesia.
F5 advice to upgrade to a fixed software version to fully mitigate this vulnerability. Organizations unable to update immediately can mitigate the RCE flaw by adding a LocationMatch configuration element to httpd and blocking access to the TMUI of their BIG-IP system via Self IPs.
An F5 security advisory provides details on how to perform these actions.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: “BlueLeaks” Exposes Data of 200 US police Departments and Exposed Online