Patching Urged as F5 BIG-IP Vulnerability ExploitedResearchers Say Exploited Flaw Could Lead to Complete System Compromises
Security researchers warn that the number of exploit attempts targeting a critical vulnerability in F5 Networks' BIG-IP networking products has steadily increased since the company first announced the flaw late last week. They urge users to immediately apply patches.
Rich Warren, a researcher with security firm NCC Group, posted on Twitter Monday that his company’s honeypots had found an uptick in remote code execution attempts targeting the BIG-IP vulnerability, with a majority apparently originating in China.
F5 Networks released patches for the critical vulnerability in BIG-IP networking products over the July 4th holiday weekend after security researchers warned that the flaws were already being exploited. Because the vulnerability is within the user interface, the flaw affects many products and versions within the BIG-IP product line.
Meanwhile, other security researchers have posted proof-of-concept exploits of this vulnerability in an effort to get organizations to apply the patches as soon as possible.
Urgent Security Advisory
On Friday, F5 released an urgent security advisory on a remote code execution vulnerability in the traffic management user interface of BIG-IP, a family of products used by banks, government agencies, internet service providers and Fortune 500 firms, including Microsoft and Oracle.
Mikhail Klyuchnikov, a researcher with security firm Positive Technologies, says in a blog that he found the vulnerability and brought it to the attention of F5.
The vulnerability, tracked as CVE-2020-5902, could allow hackers to access networks, carry out commands, create or delete files, disable services and run remote code execution, according to F5’s advisory.
The vulnerability received a 10 out of 10 score on the CVSSv3 severity scale, which prompted the U.S. Cyber Command and the MS-ISAC Center for Internet Security to issue their own advisories on the security flaw on Friday, urging government and private business users to apply the patches as soon as possible.
URGENT: Patching CVE-2020-5902 and 5903 should not be postponed over the weekend. Remediate immediately. https://t.co/UBKECuN7Vv— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) July 3, 2020
On June 30, U.S. Cyber Command issued a separate warning to users of Palo Alto Networks products after the discovery of a critical flaw, CVE-2020-2021, which can be remotely exploited to bypass authentication and take full control of systems or gain access to networks (see: US Cyber Command Alert: Patch Palo Alto Networks Products).
Urgent Action Needed
On Sunday, security researcher Troy Mursch of Bad Packets tweeted that his firm's preliminary scans for the BIG-IP vulnerability, CVE-2020-5902, found more than 1,800 vulnerable F5 BIG-IP product hosts, with honeypots detecting opportunistic mass scanning activity originating from multiple locations targeting those F5 BIG-IP servers.
Bad Packets also found BIG-IP product hosts that were vulnerable to this particular flaw in 66 countries, although the most vulnerable systems were located within the U.S.
NCC Group's Warren also tweeted over the weekend that he found active exploitation of CVE-2020-5902, with the first of these exploits originating in Italy.
"The exploit we've seen is very simple and we can expect public exploits to follow shortly," Warren said on Twitter.
In its report on the exploitation of CVE-2020-5902 posted Sunday, NCC Group noted that active exploitation started on Friday.
That NCC Group report notes that because the affected F5 BIG-IP systems are load balancers, the exploit gives attackers access to acquire:
- Existing sessions through cookie theft;
- License keys;
- Private keys to SSL or TLS certificates on the device.
Other analysts took to Twitter as well to demonstrate their own proof-of-concept exploits of the CVE-2020-5902 vulnerability.
TMSH access in a matter of minutes (CVE-2020-5902). Of course this does require access to the management interface. pic.twitter.com/FcR2zRZBG9— Yorick Koster (@yorickkoster) July 5, 2020