On July 3, 2020, F5 Networks released a notification of two vulnerabilities to the Traffic Management User Interface (TMUI) of BIG-IP network devices. CVE-2020-5902 is a vulnerability that can result in a full device takeover via remote code execution (RCE), and CVE-2020-5903 which is a cross-site scripting (XSS) vulnerability that could also lead to RCE if the logged-in user is an administrator.
The successful exploitation of CVE-2020-5902 could result in the full administrative takeover of a device without the need for authentication. This would allow a remote attacker to intercept information, delete files, create files, execute arbitrary system commands, disable services — any action an administrator can perform. This issue only affects the control plane (data plane is not affected).
Exploiting CVE-2020-5903, the XSS vulnerability, could allow similar results, however this vulnerability is exploited in the context of the logged in user’s permissions level. In the event this was exploited with an administrator account currently logged in, the results could be the same as the CVE-2020-5902.
These vulnerabilities both have higher CVSSv3 scores, CVE-2020-5902 receiving the rare 10 out of 10, and 7.5 for CVE-2020-5903. Due to the existence of active attacks, proof-of-concept code, and the ease of exploitation for the RCE vulnerability, deepwatch recommends patching as soon as possible after thorough testing (prior to deployment in production).
Managing and Mitigating Risk
F5 Networks recommends updating to fully mitigate these vulnerabilities. If you are a deepwatch VM customer, deepwatch can locate devices that have potential to have this vulnerability. For CVE-2020-5902, the following temporary mitigations can be utilized for all network interfaces (including management interfaces) as well as Self IPs.
All network interfaces
- Log in to the TMOSH shell (tmsh) by entering the following command:
- Edit the httpd properties by entering the following command:
edit /sys httpd all-properties
- locate the include section and add the following:
Redirect 404 /
- Write and save the changes to the configuration file by entering the following commands:
- Save the configuration by entering the following command:
save /sys config
- Restart the httpd service by entering the following command:
restart sys service httpd
NOTE: this fix prevents all access to the TMUI/Configuration utility via the Self IP. These changes may also impact other services.
Block all access to the TMUI of your BIG-IP system via Self IPs. To do so, you can change the Port Lockdown setting to Allow None for each Self IP in the system. If you must open any ports, you should use Allow Custom, taking care to disallow access to TMUI. By default, TMUI listens on TCP port 443; however, beginning in BIG-IP 13.0.0, Single-NIC BIG-IP VE deployments use TCP port 8443. Alternatively, a custom port may be configured.
To mitigate this vulnerability for affected F5 products, you should only permit management access to F5 products over a secure network. For CVE-2020-5903, you should permit management access to F5 products only over a secure network, and limit shell access to only trusted users.
This vulnerability is specific to BIG-IP products (LTM, AAM, AFM, Analytics,APM, ASM, DNS, FPS, GTM, Link Controller, PEM). Versions affected include the following:
- 15.x (<=220.127.116.11 vulnerable)
- 14.x (<=18.104.22.168 vulnerable)
- 13.x (<=22.214.171.124 vulnerable)
- 12.x (<=126.96.36.199 vulnerable)
- 11.x (<=188.8.131.52 vulnerable)
- NOTE: Affects neither BIG-IQ Centralized Management, nor Traffix SDC products.
Tenable Plugin ID 137918 will detect CVE-2020-5902. Plugin IDs 137917 and 137915 will detect CVE-2020-5903.
Qualys QIDs 38791 and 373106 will detect CVE-2020-5902. QID 373107 will detect CVE-2020-5903.