Attackers are breaching F5 BIG-IP devices, check whether you’ve been hit

Attackers are actively trying to exploit CVE-2020-5902, a critical vulnerability affecting F5 Networks‘ BIG-IP multi-purpose networking devices, to install coin-miners, IoT malware, or to scrape administrator credentials from the hacked devices.

exploit CVE-2020-5902

About CVE-2020-5902

CVE-2020-5902 is a critical remote code execution vulnerability in the configuration interface (aka Traffic Management User Interface – TMUI) of BIG-IP devices used by some of the world’s biggest companies.

It was unearthed along with CVE-2020-5903, a less critical XSS vulnerability that enables running malicious JavaScript code as the logged-in user on BIG-IP devices, by Positive Technologies researcher Mikhail Klyuchnikov.

To exploit CVE-2020-5902, an attacker needs to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

“By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution. The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network,” the researcher noted.

“RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation. This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan. Fortunately, most companies using the product do not enable access to the interface from the internet.”

Shodan shows around 8,500 vulnerable devices available on the internet, nearly 40% of which are in the U.S.

Active exploitation

F5 Networks published security advisories for both flaws last Wednesday, just as the U.S. was looking forward to the long Independence Day weekend.

Both the company and the U.S. Cyber Command urged admins on Friday to check whether their F5 BIG-IP web interfaces were exposed on the internet and to implement the offered patches before the weekend starts.

At the time, there was no public exploit available for CVE-2020-5902, but some soon became available. A Metasploit module is also in the works.

Finally, opportunistic mass scanning for vulnerable devices started during the weekend, and exploits started being leveraged by various attackers:

What to do?

According to F5 Networks, BIG-IP networking devices are used as server load balancers, application delivery controllers, access gateways, etc. by 48 of the Fortune 50 companies. They are used by ISPs and governments.

As noted before, F5 Networks released fixed software versions last week as well as helpful risk mitigation advice if patching is impossible at this moment.

For organizations that didn’t get around to any of it, Microsoft cybersecurity pro Kevin Beaumont offers the following advice:

SANS ISC handler Dider Stevens has also provided helpful links and advice.

UPDATE (July 8, 2020, 3:42 a.m. PT):

Attackers are bypassing one of the mitigations originally provided by F5 Networks, so any organization that applied it instead of patching their F5 BIG-IP boxes should take action again and check whether their devices have been compromised in the meantime.

Don't miss