F5 has patched a Critical remote code execution (RCE) vulnerability (CVE-2020-5902) in the Configuration utility of BIG-IP. Researchers further discovered 8,000 devices were vulnerable on the internet and could result in full system compromise.
The RCE vulnerability in undisclosed pages CVE-2020-5902 exists in the Traffic Management User Interface (TMUI), also known as the Configuration utility.
F5 describes the impact in a new advisory:
This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.F5
It is important to note that this vulnerability also has a CVSS score of 10.0 and rated Critical severity.
Security researcher Mikhail Klyuchnikov of Positive Technologies discovered and privately disclosed the issue to F5.
The Positive Technologies security experts further found more than 8,000 devices were vulnerable on the internet.
Multiple F5 BIG-IP products are affected to include: LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, and PEM.
In addition, multiple BIG-IP versions (11.x, 12.x, 13.x, 14.x and 15.x) are also impacted and should be upgraded to the latest version address the RCE vulnerability.
F5 also offers multiple workarounds and additional safeguards that can also be deployed to prevent exploitation of the vulnerability:
- Add a LocationMatch configuration element to httpd.
- Block all access to the TMUI of your BIG-IP system via Self IPs.
- Only permit management access to F5 products over a secure network.
Network administrators should upgrade affected F5 devices and safeguards as soon as possible.