Initial Mitigation for F5 Vulnerability Bypassed, Exploit Attempts Ongoing

Summary

On June 30, F5 released an advisory regarding a remote code execution vulnerability (CVE-2020-5902 ) in their Traffic Management User Interface (TMUI), also referred to as the Configuration Utility, impacting BIG-IP devices. Exploitation of this vulnerability could allow an unauthenticated remote threat actor to fully compromise the targeted system, steal user credentials, or move laterally on the device’s network. Administrators of F5 BIG-IP active delivery controller (ADC) devices were urged to either apply the updates released on July 3 or implement the mitigations provided in their advisory. On July 7, however, security researchers found a bypass around the mitigation, which allowed exploitation of the device. There are modified mitigations available; however, updating systems is highly encouraged. There is public proof-of-concept code available and attempts to exploit the vulnerability are ongoing. The US Cyber Command and others are urging administrators to update their devices as soon as possible.

Recommendations

The NJCCIC recommends F5 BIG-IP administrators update their devices immediately after appropriate testing and review the F5 security advisory for more information. Those that have not yet updated their F5 devices are also advised to examine their networks for signs of compromise.