Thousands of Vulnerable F5 BIG-IP Users Still Open to Takeover

About 8,000 users of F5 Networks’ BIG-IP family of networking devices are still vulnerable to full system access and remote code-execution (RCE), despite a patch for a critical flaw being available for two weeks.

The BIG-IP family consists of application delivery controllers, Local Traffic Managers (LTMs) and domain name system (DNS) managers, together offering built-in security, traffic management and performance application services for private data centers or in the cloud.

At the end of June, F5 issued urgent patches for a critical RCE flaw (CVE-2020-5902), which is present in the Traffic Management User Interface (TMUI) of the company’s BIG-IP app delivery controllers. The bug has a CVSS severity score of 10 out of 10, and at the time of disclosure, Shodan showed that there were almost 8,500 vulnerable devices exposed on the internet.

Shortly after disclosure, public exploits were made available for it, leading to mass scanning for vulnerable devices by attackers, and ultimately active exploits.

“CVE-2020-5902 received the highest vulnerability rating of critical from the National Vulnerability Database due to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,” Expanse researchers noted in an advisory issued on Friday. “It was deemed so critical that U.S. Cyber Command issued a tweet on the afternoon of July 3, recommending immediate patching despite the holiday weekend. While F5 did not release a proof of concept (PoC) for the exploit, numerous PoCs began appearing on July 5.”

Fast-forward to two weeks later, and patches have rolled out to less than 500 of that original group of vulnerable machines, according to the analysis. Expanse researchers said that as of July 15, there were at least 8,041 vulnerable TMUI instances still exposed to the public internet.

The stakes are high, as one would expect from a critical-rated bug: “The vulnerability CVE-2020-5902 allows for the execution of arbitrary system commands on vulnerable BIG-IP devices with an exposed and accessible management port via the TMUI,” explained the researchers. “This vulnerability could provide complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serve as a hop point into other areas of the network.”

To boot, an additional bug, CVE-2020-5903, affects the same vulnerable management interface via a cross-site scripting vulnerability (XSS) that Expanse said could also be leveraged to include RCE.

Despite active exploits and security experts urging companies to deploy the urgent patch for the critical vulnerability, patching is clearly going slowly – something that Tim Junio, CEO and co-founder of Expanse, chalks up to a lack of visibility.

“Patching is likely proceeding slowly because organizations may not know that they have these TMUIs,” Junio told Threatpost. “If they are unaware of their complete inventory of internet-connected systems and services, they will not have well-defined processes for patching them. Security teams are also often stretched thin and that can result in delays in patching, even for critical items like this.”

Junio also told Threatpost that if a malicious actor gained this type of remote access it could be catastrophic – and yet the bug carries an ease of exploitation that he likens to a Jedi mind trick.

“An attacker just needs to send the firewall a set of commands, which are now publicly known, in order to take over the firewall,” he explained. “A physical world analogy: If a firewall is a bit like a guard and a gate at the entrance of a facility that is surrounded by walls, this exploit is like a Jedi mind trick whereby an attacker can walk right up to the guard, suggest to the guard they leave their post and give the attacker a guard uniform and all keys to the gate – and the guard will say yes.”

The attacker can then carry out all sorts of different nefarious activities in the context of a privileged user.

Junio explained, continuing his analogy, “In other words, the attacker can now walk into the facility unimpeded (unauthorized access); bring sensitive data and objects out of the facility unimpeded (exfiltration); and can close the gate to legitimate people trying to enter the facility (denial of service); among many other actions.”

The TMUI is responsible for configuration, and Junio noted that there’s generally no reason for it to be exposed to the internet – so, a simple interim mitigation (albeit not a full one) in lieu of patching would be to remove it from public view.

“This is a very concerning number of exposed TMUIs on the internet,” said Junio. “A hack of a major enterprise via this type of attack vector could be very damaging to that organization.”

He added that he believes that an attack on any number of enterprises could go so far as to be harmful to the global economy.

“Actual day-to-day users of F5 equipment are generally going to be security operations, network operations or infrastructure professionals,” said Junio. “Bigger picture, the customers/buyers of this technology are some of the world’s largest enterprises and government agencies.” These include 48 out of the Fortune 50, he added, though he’s not aware which, if any, of these specific installations are vulnerable to attack.