CVE-2020-5948 — F5 TMUI XSS vulnerability

On BIG-IP versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.2.7, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2.

Undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role.

Impact

An attacker may exploit this vulnerability using a crafted URL to a reflected cross-site scripting (XSS) in an undisclosed page of the Configuration utility.

Recent assessments:

hrbrmstr at December 14, 2020 2:12pm UTC reported:

Attacker Value

“Reflected XSS” means an authenticated user has to pass a malicious, specially-crafted URL onto the iControl REST API.

“Undisclosed REST API endpoints” means it will take some time (perhaps, not much, but “it depends” given the black-box nature of F5 kit) to discover these weak entry points.

Once weak REST endpoints are known, an attacker has to get their crafted URL into some context where an F5 REST API user can pass it on in an authenticated context.

It is unlikely F5 users would click on obvious REST API URLs from non-trusted parties (nor that it would do much good depending on how authentication state is maintained). URL shorteners or on-hover cloaking could be used to trick said admins, but then there’s the “an attacker would have to know who are F5 iControl admins” hard part.

There are a handful of third-party iControl REST API projects on GitHub and Docker. It is theoretically possible a highly motivated attacker could target organizations via these projects, but all have a small number of GH stars, which suggests they aren’t super-popular/used.

It is unlikely opportunistic attackers will (a) dedicate resources to discovering the flawed REST API endpoints, and (b) be able to identify F5 iControl users to target.

This may be a useful weakness for more sophisticated attackers performing targeted attacks.

Mitigation

If one cannot patch their systems, F5 has noted that it is possible to mitigate this vulnerability, by permitting management access to F5 products only over a secure network, and limiting access to only trusted users (though these are the users attackers are targeting, so it’s a bit of a head-scratcher).

For more information about securing access to BIG-IP systems, refer to K13309: Restricting access to the Configuration utility by source IP address (11.x – 16.x) and K13092: Overview of securing access to the BIG-IP system.

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 3