F5 Networks has released a security advisory on July 1 to address a critical remote code execution (RCE) vulnerability that impacts the Traffic Management User Interface (TMUI) Configuration Utility of several BIG-IP networking devices. The vulnerability allows unauthenticated user with network access to execute system commands, create or delete files, disable services, and execute arbitrary code, and may result in complete system compromise.
A simple specifically-crafted HTTP request to the server hosting the TMUI utility for the BIG-IP configuration can result in a complete takeover, and all the information on the device can be considered compromised.
Security experts report that attackers are actively targeting the vulnerability in the wild, when the first active exploitations were visible as early as July 4 and maybe be even earlier. Therefore, any public-facing device patched after this date, and all the information on it, including digital certificates, keys, logs, configurations, and credentials should be considered compromised. The device should go through an incident response and a forensic investigation and follow the recommendation guidelines.
Exploitation in the wild
TMUI RCE vulnerability CVE-2020-5902 was discovered by Mikhail Klyuchnikov from Positive Technologies and reported to F5 before being fully disclosed on July 2. In the time of the research in June this year, Klyuchnikov found over 8,000 vulnerable devices exposed to the internet, 40% of which were located in the US. More recent scans show that around 6,000 devices are still exposed and potentially vulnerable for takeover.
F5 released temporary configuration mitigations until the upgrade to a fixed software version is complete, but these mitigations were proved to be insufficient, as security professionals discovered possible bypasses for them and reported on it to F5.
The exploits for the vulnerability came to surface immediately after the vulnerability disclosure, while exploit payloads were shared on Twitter and Github and an exploit module was added to the exploitation framework Metasploit on July 5. NCCGroup and other researchers reported that live exploitations are targeting the flaw already since July 4 and originate from Italy and China.
Risk to customer
If successfully exploited, a complete compromise of a vulnerable F5 device can enable an advanced attacker to leverage the appliances' network location to move laterally to additional systems, monitor or tamper with sensitive network traffic, evade defense mechanisms and establish a foothold in the environment.
Although F5 Networks disclosed the critical vulnerability and released patches as early as July 1, thousands of devices are still exposed to the internet and maybe vulnerable for complete takeover. F5’s devices are known to be used across the private and governmental sectors and its customers include many of the Fortune 50. Patching and mitigating this vulnerability becomes crucial as the United States Cyber Command urges everyone to install the updates.
We strongly encourage you to follow the recommendation from F5 Systems and immediately install the latest patched software versions to address the underlying vulnerability. F5 also offers recommendations if you cannot immediately patch, including restricting access to all TMUI interfaces.
Given that the information on devices, including digital certificates and keys could be compromised, certificates on devices should be revoked, keys re-issued and new certificates issued. This is not the first, and will certainly not be the last vulnerability that requires agile key and certificate rotation. Most organizations do not have a strong machine identity management program in place so key and certificate rotation on critical infrastructure is often de-prioritized during mitigations. Organizations with a strong machine identity management programs will be able to automate the rotation of any group of keys and certificates quickly and easily.
If your organization is using Venafi, you will be able to quickly identify impacted certificates and revoke and issue new certificates manually or automatically. If you're not currently a Venafi customer, you can learn more how Venafi can help with remediation in this video or Contact Us.
- How Criminals Are Leveraging SSL and HTTPS
- What Are Man-in-the-middle Attacks?
- What Are SSL Stripping Attacks?