A critical vulnerability in F5 Networks’ BIG-IP networking gear is under active attack, just days after the company first announced the flaw.
F5 released an urgent advisory on June 30 on two vulnerabilities in its line of BIG-IP products which could result in “complete system compromise.” The more serious of the two, a remote code execution vulnerability (CVE-2020-5902) in the Traffic Management User Interface (TMUI), could potentially allow unauthorized users to intercept information, access networks, carry out system commands, create or delete files, disable services, and remotely execute Java code, F5 said. It received a 10 (out of 10) score on the CVSSv3 (Common Vulnerability Scoring System) severity scale. The other vulnerability (CVE-2020-5903), is a cross-site scripting vulnerability in the configuration utility. It, too, can also remote code execution without authorization.
F5 released updates addressing the vulnerabilities. It took just three days for security researchers to start seeing attacks exploiting the critical flaw.
United States Cyber Command urged government and private business users to apply the updates on affected equipment as soon as possible, saying the patching was “URGENT.” The Cybersecurity and Infrastructure Security Agency from the Department of Homeland Security also released an alert on Saturday.
“If you didn’t patch by this morning, assume [you are] compromised,” CISA Director Chris Krebs said Sunday. “Keep patching and check logs.”
Many products in the BIG-IP family of networking equipment use the impacted TMUI, including load balancers, firewalls, rate limiters, and web traffic shaping systems. Vulnerable versions include 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, and 15.1.x. BIG-IQ and Traffix SDC products are not vulnerable.
To exploit the vulnerability, an attacker would need to send a specially crafted HTTP request to servers hosting the BIG-IP TMUI, said Mikhail Klyuchnikov, a researcher with Positive Technologies who reported the issue to F5. The issue is particularly serious for a small number of BIG-IP owners who have exposed the TMUI to the Internet, as they can be discovered by tools such as Shodan. Klyuchnikov estimated approximately 8,000 vulnerable devices exposed to the Internet. The good news is that most companies did not leave the configuration interface accessible from the Internet.
This particular line of networking equipment is widely used, and can be found in banks, government agencies, internet service providers, and some of the world’s largest companies. BIG-IP devices can decrypt traffic going to web servers, so an attacker could potentially steal the private keys to the organization’s certificates to see all the encrypted traffic. An attacker could also use the compromised device to move around the network, or collect administrator credentials. It would also be possible to intercept existing sessions by stealing session cookies and license keys.
Troy Mursch of Bad Packets said the company’s preliminary scans for the BIG-IP vulnerability found more than 1,800 vulnerable hosts, and the honeypots had detected opportunistic mass scanning activity originated from multiple locations targeting those servers.
On Saturday, exploitation attempts were coming from Italy, although by Monday morning, the majority of remote code execution attempts targeting the BIG-IP vulnerability were originating from China, according to Rich Warren, a researcher with NCC Group.
“We are seeing an uptick in RCE attempts against our honeypots, using a combination of either the public Metasploit module, or similar via Python,” Warren wrote on Twitter.
According to NCC Group, active exploitation started on Friday, the company said in a report released on Sunday.
Multiple proof-of-concept exploits for arbitrary file read and remote code execution are already available. There is also a public Metasploit module which can obtain a root shell. There are also scanners available for security teams to check if the BIG-IP equipment in their network is vulnerable to attacks.
The fact that attack attempts are already happening means security teams now have two tasks: first to update their BIG-IP equipment, but also check the network logs, examine other systems, and check their devices for clues that it may already have been used in an attack.
“This is an incident response, not a patching drill,” said network security specialist Jason Kikta.