Other official information and services: www.belgium.be

Multiple vulnerabilities affecting F5 BIG-IP

Reference:

Advisory #2020-023

Version:

1.0

Affected software:

BIG-IP versions (11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x)

Type:

Remote Code Execution (RCE) & Cross-site-scripting (XXS)

CVE/CVSS:

CVE-2020-5902 (CVSSv3: 10)
CVE-2020-5903 (CVSSv3: 7.5)

Date:

08/07/2020

Sources

(1) https://support.f5.com/csp/article/K52145254
(2) https://support.f5.com/csp/article/K43638305
(3) https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerabil...
(4) https://fr.tenable.com/blog/cve-2020-5902-critical-vulnerability-in-f5-b...
(5) https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui...

Risks

Two vulnerabilities have been discovered in the configuration interface of the BIG-IP application delivery controller (ADC). The Cross-Site Scripting (XSS) vulnerability, CVE-2020-5903, could allow an attacker to run JavaScript code under the same privileges as the current user. Successful exploitation of the remote code execution Vulnerability, CVE-2020-5902, could allow an unauthenticated attacker to execute arbitrary system commands and Java code, create or delete files, intercept information, as well as disable services on the vulnerable device.

Description

BIG-IP administrative interface is one of the most popular networking products manufactured by F5 Networks. BIG-IP devices can be configured to as traffic shaping systems, load balancers, firewalls, access gateways, rate limiters or SSL middleware.
A security researcher of Positive Technologies discovered two vulnerabilities affecting the Configuration utility, also referred to as the Traffic Management User Interface (TMUI).
The vulnerability, CVE-2020-5903, enables to execute JavaScript code and the severity of this flaw is classified as “high”.
CVE-2020-5902, is a remote code execution flaw allowing an attacker to take full control over unpatched system. The severity of this vulnerability is classified as “critical” .However, cyber security experts have discovered attackers actively exploiting this vulnerability for a possible cyber-attack.7
Several Proof of ConceDescription
BIG-IP administrative interface is one of the most popular networking products manufactured by F5 Networks. BIG-IP devices can be configured to as traffic shaping systems, load balancers, firewalls, access gateways, rate limiters or SSL middleware.
A security researcher of Positive Technologies discovered two vulnerabilities affecting the Configuration utility, also referred to as the Traffic Management User Interface (TMUI).
The vulnerability, CVE-2020-5903, enables to execute JavaScript code and the severity of this flaw is classified as “high”.
CVE-2020-5902, is a remote code execution flaw allowing an attacker to take full control over unpatched system. The severity of this vulnerability is classified as “critical” .However, cyber security experts have discovered attackers actively exploiting this vulnerability for a possible cyber-attack.7
Several Proof of Concept (PoC) Scripts for CVE-2020-5902 have been published.
pt (PoC) Scripts for CVE-2020-5902 have been published.

Recommended Actions

The CCB recommends system administrators to apply the patches for both vulnerabilities (CVE-2020-5903(2) and CVE-2020-5902(1)) released by the vendor.
In case immediate patching for the vulnerability, CVE-2020-5902, is not possible, F5 Networks provides workarounds(2) to mitigate an attacker from exploiting this flaw.