Periodically, critical vulnerabilities are overhyped and require a more practical approach to assessing true impacts. But in this case, Joe Slowik Principal Adversary Hunter at ICS cybersecurity firm Dragos agrees recent statements are quite appropriate for the recent F5 BIG-IP ADC vulnerability CVE-2020-5902. Musing from his personal blog, Joe goes on to say this vulnerability is very serious, and its exploitation by actors that know what they’re doing is deeply concerning – yet not likely for the reasons many think.
Positive Technologies discovered and responsibly disclosed CVE-2020-5902 to F5 who published a security advisory including a patch and workaround on June 30, 2020. CVE-2020-5902 is a code injection vulnerability affecting the F5’s Traffic Management User Interface (TMUI) pages. Specifically, the TMUI fails to properly handle user-supplied URLs that contain special character sequences that could ultimately lead to retrieval of potentially sensitive files and execution of arbitrary system commands. Successful exploitation can be accomplished remotely without authentication to completely compromise a system. Organizations delaying patching are highly encouraged to implement compensating controls as soon as possible. However, the workaround should only be a temporary fix while prioritizing a patch cycle. Visit the F5 support page for impacted product versions and more technical details.
Exploit Code Available
Proof-of-concept (POC) and functional exploit code does exist in the wild. Researchers have observed a large amount of scanning activity, exploitation attempts, and chatter from threat actors including examples of specific syntax on how to discover vulnerable devices through Google, Shodan, and Censys. According to the researcher who discovered the vulnerability, this [vulnerability] is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan. Positive Technologies experts found that in June, 2020 there were more than 8,000 vulnerable devices available from the internet in the world, of which 40% lie in the United States.
Indeed, the remote code execution (RCE) vulnerability is a definitive concern, but Joe points out additional compunctions regarding the weaponization of this vulnerability. And while the patch and workarounds confound the ability for unauthenticated attackers to exploit this vulnerability, Slowik’s concerns extend to follow up attacks from sufficiently skilled actors who exploited the vulnerability (and gained full administrative access) prior to applying the patch or workaround. In other words, patching or compensating controls will not stop authorized access gained through stolen valid credentials. Such actors would be able log back in with valid authentication after mitigation since most passwords are not changed after a system is patched. Read more about the ramifications of this vulnerability at Stranded on Pylos