FLASH NOTICE: Flash Notice: SonicWall Warns of Imminent Ransomware Attack Against EOL Products

Need to Report an Incident? Call +1 (877) 707-7997

F5 BIG-IP Vulnerability May Allow Total Compromise

Darkside Ransomware
Share on linkedin
Share on facebook
Share on twitter
Share on reddit
Share on email
Share on print

BIG-IP Load Balancer Vulnerability Overview

This threat report is about a vulnerability that affects F5 Network’s BIG-IP application services load balancers. The vulnerability has a CVE assignment of CVE-2020-5902.

Successful exploitation may allow a bad actor to perform remote code execution at a heightened privilege level.

There are patches available and a system hardening recommendation as well.

Tactics, Techniques, and Procedures to Exploit BIG-IP Vulnerability

CVE-2020-5902 is a vulnerability with the TMUI (Traffic Management User Interface), which is a key configuration utility within the system.

The vulnerability can be exploited by both authenticated and unauthenticated attackers using the designated management port. The attacker can execute system commands and modify the system in a myriad of ways which may result in a total compromise of the BIG-IP.

Systems in appliance mode are also affected by this vulnerability.

See the table below for the proper upgrade tree.

F5 BIG-IP Upgrade Tree
F5 BIG-IP Upgrade Tree

If the patch cannot be applied or your version lacks a proper patch, consider implementing the workaround found in the recommendations section of this document.

What the F5 BIG-IP Load Balancer Vulnerability This Means to You

  • May lead to unauthorized changes to your BIG-IP F5 appliance.
  • May provide a foothold for bad actors to engage in traffic shaping on your critical assets.

What You Can do About this BIG-IP Vulnerability

We recommend you implement the patch to avoid possible successful exploitation of the BIG-IP load balancer vulnerability.

You should also block external access to the TMUI pages on your F5 appliance.

This workaround may help as a stopgap measure:

  1. Log in to the TMOS Shell (tmsh) by entering the following command: tmsh
  2. Edit the httpd properties by entering the following command: edit /sys httpd all-properties
  3. Locate the include section and add the following:
  4. include ‘
    1. <LocationMatch “.*\.\.;.*”>
    2. Redirect 404 /
  5. Write and save the changes to the configuration file by entering the following commands:
    1. Esc
    2. :wq!
  6. Save the configuration by entering the following command: save /sys config
  7. Restart the httpd service by entering the following command: restart sys service httpd

Sources and Additional Information

Other useful information:

Threat-Based Security at the Intersection of MITRE ATT&CK and NIST CSF

Managing alerts and responding to incidents are the most dramatic and visible aspects of cybersecurity. But maintaining the tactical actions of a buzzing “alert factory” is not enough to protect a business long-term.

Learn why much of modern security ops function at a strategic level for threat-based security and how to apply this to your SecOps.

Download Now

Share this:
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email
Share on print

Sign-up for Weekly Updates