Cyber Command backs ‘urgent’ patch for F5 security vulnerability

Written by

One of the largest providers of enterprise networking equipment in the world, F5 Networks, has issued a security fix for a major vulnerability that, if exploited, could result in a “complete system compromise.”

F5’s BIG-IP is among the most popular networking gear in use today, with adoption through government networks, internet service providers, and cloud computing data centers. If security administrators fail to patch the new vulnerability, though, attackers could wreak havoc on their systems, according to a information security specialists. Mikhail Klyuchnikov, the senior web application security researcher at Positive Technologies who uncovered the flaw, estimated that there are approximately 8,000 vulnerable devices exposed to the internet.

The remote code execution vulnerability, called CVE-2020-5902, affects the BIG-IP products’ Traffic Management User Interface (TMIU), which can function as load balancers, firewalls, rate limiters, and web traffic shaping systems. Attackers who exploit the weakness can execute arbitrary system commands, create files, delete files, or disable services, according to F5.

The vulnerability is so serious it received the highest possible score of 10 from the Common Vulnerability Scoring System (CVSS). The Department of Defense’s Cyber Command warned in a tweet Friday that patching is “URGENT,” and that it “should not be postponed over the weekend.” The Department of Homeland Security’s cybersecurity agency also advised administrators to update their F5 systems on July 4.

“If you didn’t patch by this morning, assume [you are] compromised,” the Cybersecurity and Infrastructure Security Agency (CISA) Director Chris Krebs said in a tweet Monday. “Keep patching and check logs.”

To exploit the flaw, an attacker would need to send a specially crafted HTTP request to servers hosting the BIG-IP TMUI, according to Klyuchnikov.

“RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation,” Klyuchnikov said in a statement. “This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan.”

Rich Warren, principal security consultant at NCC Group,  said his company had observed active exploitation soon after the government started pushing out its alerts.

“So far, attacks have been varied and opportunistic, and we’ve seen a sharp rise following the public release of tooling to make it trivial for low-skilled hackers to exploit,” Warren told CyberScoop. “We are continually monitoring and flagging any new and novel attempts to exploit this vulnerability, and we’d encourage all [organizations] to update themselves and act now if they think they have been compromised.”

By press time Monday, NCC Group had observed an increase in exploitation attempts via the public Metasploit module. While many of the first exploits emanated from Italy, a “large volume” of attempts at “identifying vulnerable servers, which the attacker can then come back to and exploit further later,” has been emanating from China, Warren told CyberScoop.

It’s the second flaw revealed last week that received a CVSS score of 10. Cyber Command also highlighted a critical flaw in Palo Alto Networks technology that also received a CVSS score of 10.

Vulnerable versions of BIG-IP include 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x, according to Positive Technologies.