Two days after patches for critical F5 BIG-IP vulnerability were released, security researchers have started publicly posting proof-of-concept (PoC) exploits show how easy it is to exploit these devices.
F5 customers using BIG-IP devices and solutions include governments, Fortune 500 firms, banks, Internet services providers, and many consumer brands, including Microsoft, Oracle, and Facebook.
This vulnerability allows a remote attacker to access the Traffic Management User Interface (TMUI) of the BIG-IP application delivery controller (ADC) without authentication and perform remote code execution.
Exploiting a BIG-IP device would allow an attacker to gain full access to the system, export user credentials, and potentially traverse the device’s internal network.
“This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected,” F5’s advisory reads.
Due to the severity of this vulnerability, the US Cyber Command issued an alert strongly advising that users install the update and not postpone it until after the Fourth of July holidays.
F5 BIG-IP PoC exploits released and actively used
Today, numerous researchers have started to publicly post exploits for the F5 BIG-IP CVE-2020-5902 vulnerability to illustrate how easy it is to exfiltrate data and execute commands on vulnerable devices.
Another researcher has created a GitHub repository that lists PoCs to perform various tasks such as displaying the /etc/passwd file to access stored credentials or to view the device’s configuration file.
NCC Group’s Rich Warren has already started to see remote attacks attempting to exploit F5 BIG-IP devices.
If you are using F5 BIG-IP devices on your network, you must patch your devices now.
BIG-IP versions vulnerable to attacks (11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x) should be upgraded to a corresponding patched versions (126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168).
Cloud marketplaces (e.g., AWS, Azure, GCP, and Alibaba) users are advised to switch to BIG-IP Virtual Edition (VE) versions 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, or 18.104.22.168, if available.
Without a doubt, APT, state-sponsored actors, and ransomware operators will, if not already, use these vulnerabilities to try and breach your network. Patch now!