Attackers are bypassing a mitigation for the BIG-IP TMUI RCE vulnerability (CVE-2020-5902) originally provided by F5 Networks, NCC Group’s Research and Intelligence Fusion Team has discovered.
On CVE-2020-5902 (K52145254) @TeamAresSec reported publicly at 18:24 the mitigation could be bypassed, we saw it used in the wild at 12:39 for the first time – upgrade don't mitigate – https://t.co/sSr4JIZwu3 pic.twitter.com/PMfG0rCpyQ
— NCC Group Infosec (@NCCGroupInfosec) July 7, 2020
“Early data made available to us, as of 08:05 on July 8, 2020, is showing of ~10,000 Internet exposed F5 devices that ~6,000 were made potentially vulnerable again due to the bypass,” they warned.
F5 Networks has updated the security advisory to reflect this discovery and to provide an updated version of the mitigation. The advisory has also been updated with helpful notes regarding the impact of the flaw, the various mitigations, as well as indicators of compromise.
CVE-2020-5902 exploitation attempts
CVE-2020-5902 was discovered and privately disclosed by Positive Technologies researcher Mikhail Klyuchnikov.
F5 Networks released patches and published mitigations last Wednesday and PT followed with more information.
Security researchers were quick to set up honeypots to detect exploitation attempts and, a few dats later, after several exploits had been made public, they started.
Some were reconnaissance attempts, some tried to deliver backdoors, DDoS bots, coin miners, web shells, etc. Some were attempts to scrape admin credentials off vulnerable devices in an automated fashion.
There’s also a Metasploit module for CVE-2020-5902 exploitation available (and in use).
Any organization that applied the original, incomplete mitigation instead of patching their F5 BIG-IP boxes should take action again:
🚨 For those orgs who applied the F5 BIG-IP and BIG-IQ mitigation rather than patching 🚨
there’s a bypass to the mitigation being used in the wild now.
— Kevin Beaumont (@GossiTheDog) July 8, 2020
this is not good. If you applied the workaround… you need to patch! (or finally isolate your admin interface) https://t.co/RlWb61qZoh
— SANS ISC (@sans_isc) July 8, 2020
They should also check whether their devices have been compromised in the interim.