The U.S. Cybersecurity and Infrastructure Security Agency (CISA) today published a warning confirming the active exploitation of the unauthenticated remote code execution (RCE) CVE-2020-5902 vulnerability affecting F5 Big-IP ADC devices.
CISA’s alert also provides additional mitigations and detection measures to help victims find out if their systems may have been compromised and recover after attacks that successfully exploited unpatched F5 devices.
Two orgs compromised after CVE-2020-5902 exploitation
According to F5’s security advisory, any remaining unpatched devices are probably already compromised during attacks that started just a few days after the company disclosed the security flaw.
“CISA has observed scanning and reconnaissance, as well as confirmed compromises, within a few days of F5’s patch release for this vulnerability,” the agency says.
“As early as July 6, 2020, CISA has seen broad scanning activity for the presence of this vulnerability across federal departments and agencies—this activity is currently occurring as of the publication of this Alert.”
While investigating potential compromises resulting from CVE-2020-5902, CISA was able to confirm successful attacks against two targets.
CISA has been working with several entities across multiple sectors to investigate potential compromises relating to this vulnerability. CISA has confirmed two compromises and is continuing to investigate.
Critical 10/10 rating security flaw
F5 Networks (F5) released security updates for the critical 10/10 CVSSv3 rating CVE-2020-5902 vulnerability impacting BIG-IP application delivery controller (ADC) devices earlier this month.
The same day the US Cyber Command urged F5 customers to urgently patch Big-IP ADC devices known to be used by Fortune 500 firms, governments, and banks all around the world.
Two days later, security researchers started publicly sharing CVE-2020-5902 PoC exploits to demonstrate how easy it is to steal data from and execute commands on unpatched devices.
While initially, F5 provided customers with mitigations designed to address the vulnerability until the security updates could be installed, in a subsequent update to the CVE-2020-5902 security advisory the company said that the mitigations were not completely effective and advised customers to install patched versions of the software to fully address the vulnerability.
Detection and recovery measures
IT admins are advised to use F5’s CVE-2020-5902 IoC Detection Tool to look for indicators of compromise within their organizations’ environment.
The agency recommends all organizations to go through the following action list while hunting for exploitation signs:
• Quarantine or take offline potentially affected systems
• Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections
• Deploy a CISA-created Snort signature to detect malicious activity (available in the alert under Detection Methods)
If they find evidence of CVE-2020-5902 exploitation, orgs are urged to immediately react with recovery measures targeting impacted systems by:
• Reimaging compromised hosts
• Provisioning new account credentials
• Limiting access to the management interface to the fullest extent possible
• Implementing network segmentation
“CISA expects to see continued attacks exploiting unpatched F5 BIG-IP devices and strongly urges users and administrators to upgrade their software to the fixed versions,” the agency said.
“CISA also advises that administrators deploy the signature included in this Alert to help them determine whether their systems have been compromised.”