What to Know About the F5 BIG-IP Vulnerability Being Actively Exploited
How to protect against the Big IP Vulnerability that has already compromised most TMUIs exposed to the internet
Written by Jordan Kalm, Threat Intelligence Analyst
Many companies use F5’s BIG-IP products to load balance and secure their web application. On June 30th, 2020, F5 published a security advisory for a CVE rated 10/critical security flaw that impacted their company’s BIG IP products*. The vulnerability detailed an issue with the BIG-IP TMUI management web interface, which improperly neutralized untrusted user input, allowing for the possibility of malicious cross-site scripting, cross-site request forgery, and remote command injection. The BIG-IP devices do not properly enforce access controls to sensitive configuration files that be read and overwritten by an authenticated user via Secure Copy (SCP).
Hackers do not need valid credentials to attack these devices. They start without network information or visibility and end up with full control over the BIG-IP devices in a very short amount of time. Because these systems use their technology for SSL offloading, a full compromise of a Big-IP system could allow someone to passively intercept unencrypted traffic inside the device in addition to the above active manipulation techniques. Many organizations deploy network tools incorrectly and cut corners in what they believe to be cost-saving measures, so many of these TMUI web interfaces are network facing, though F5 warned against that in their BIG-IP access manual as far back as March of 2019. Shodan, a search engine that shows which devices are connected to the Internet, has indexed nearly 8,400 BIG-IP devices that are both connected to the internet and index-able via their scanners.
While F5 already released a patch for this vulnerability, many Big-IP products exist online that have not yet been patched. The Cybersecurity and Infrastructure Security Agency (CISA), a division of the US Department of Homeland Security, has been warning companies to patch this exploit since July 6th, 2020.
Again on June 30th, F5 issued a patch for this vulnerability, which downgraded the vulnerability to a 9.8/Critical according to the National Vulnerability Database. The vulnerability at the time had no working exploit, though many security researchers saw it as a vulnerability on par with the security flaws in Microsoft’s server message block that led to the WannaCry ransomware attack.
Current Threat Activity
Malicious threat actors are now actively scanning for this critical vulnerability. Many major threat actors have been conducting scanning and surveillance activity, attempting to use the exposed attack vector. F5’s own security advisory for this recent development states “If your BIG-IP has its TMUI exposed to the Internet and is not running an updated version of the software, it may already be compromised, and you should follow your internal incident response procedures.”
CISA has confirmed that so far, two organizations have been compromised, and it is investigating additional attacks via incident response. If you have an unpatched F5 device with a management interface exposed to the internet, there is a fair chance that you may already be compromised, however, there are several mitigation techniques that you can use to limit your network exposure and risk.
What to Do
One way that you can check for Indicators of Compromise associated with this exploit is using the CVE-2020-5902 IoC detection Tool, which was developed by F5. IF you determine that your BIG-IP has been compromised, immediately take the following steps:
- Immediately remove access to the management interface
- Immediately change all accounts and issue new account credentials
- Take the system out of service as soon as possible and conduct a full reimage of the devices
- We recommend that you ensure that your devices are being actively monitored for exploitation with a 24×7 threat monitoring & log management service.
Please feel free to consult with us if you need assistance in this area or would like to talk to someone about this further. You can contact us on this page: https://www.securityondemand.com/about-us/contact/
Read more about recent threats here: https://www.securityondemand.com/news-posts/threat-flash-alert-signifongoing-attack-campaign-from-iraqi-infrastructure/