JPCERT-AT-2020-0028
JPCERT/CC
2020-07-06(Initial)
2020-07-14(Update)
F5 Networks
K52145254: TMUI RCE vulnerability CVE-2020-5902
https://support.f5.com/csp/article/K52145254
JPCERT/CC confirmed the Proof-of-Concept codes had already been made public, and also observed the information of scanning activities targeting the vulnerability and traffic which appeared to exploit this vulnerability. Users of affected products are recommended to take measures as soon as possible.
BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, AWAF, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO)
- 15.x versions from 15.0.0 to 15.1.0
- 14.x versions from 14.1.0 to 14.1.2
- 13.x versions from 13.1.0 to 13.1.3
- 12.x versions from 12.1.0 to 12.1.5
- 11.x versions from 11.6.1 to 11.6.5
BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, AWAF, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO)
- 15.1.0.4
- 14.1.2.6
- 13.1.3.4
- 12.1.5.2
- 11.6.5.2
Also, F5 Networks provide workaround such as access restrictions as a way to mitigate the impact caused by the vulnerability. If it is difficult to apply update, please consider applying the workaround.
PT Security
F5 fixes critical vulnerability discovered by Positive Technologies in BIG-IP application delivery controller
https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/
SANS ISC InfoSec Forums
CVE-2020-5902 F5 BIG-IP Exploitation Attempt
https://isc.sans.edu/diary/rss/26310
NCC Group
RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence
https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/
If you have any information regarding this alert, please contact JPCERT/CC.
2020-07-14 Updated "I. Overview", "II. Affected Products", "III. Solution" and "IV. References"
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/
JPCERT/CC
2020-07-06(Initial)
2020-07-14(Update)
I. Overview
On July 1, 2020 (Local Time), F5 Networks has released information regarding vulnerability (CVE-2020-5902) in multiple BIG-IP products.An unauthenticated remote attacker leveraging the vulnerability may execute arbitrary code via the affected product's Traffic Management User Interface (TMUI). As a result, these products may be used as a stepping-stone to further attack activities. For more information on the vulnerability, please refer to the information provided by F5 Networks.F5 Networks
K52145254: TMUI RCE vulnerability CVE-2020-5902
https://support.f5.com/csp/article/K52145254
JPCERT/CC confirmed the Proof-of-Concept codes had already been made public, and also observed the information of scanning activities targeting the vulnerability and traffic which appeared to exploit this vulnerability. Users of affected products are recommended to take measures as soon as possible.
Update: July 14, 2020 Update
"II. Affected Products" and "III. Solution" on this alert were updated as the F5 Networks advisory had been updated. As for the details and latest information, please refer to the information provided by F5 Networks.
Also, F5 Networks has provided information which can be referred when the product owners investigate if their system has been compromised. Since scans and exploits regarding this vulnerability have been continuously observed in the wild, it is recommended to investigate system compromise as well as implement the solution for this vulnerability. Please refer to the above F5 Networks advisory or the information below.
F5 Networks
K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system
https://support.f5.com/csp/article/K11438344
Also, F5 Networks has provided information which can be referred when the product owners investigate if their system has been compromised. Since scans and exploits regarding this vulnerability have been continuously observed in the wild, it is recommended to investigate system compromise as well as implement the solution for this vulnerability. Please refer to the above F5 Networks advisory or the information below.
F5 Networks
K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system
https://support.f5.com/csp/article/K11438344
II. Affected Products
The following products and versions are affected by the vulnerability:BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, AWAF, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO)
- 15.x versions from 15.0.0 to 15.1.0
- 14.x versions from 14.1.0 to 14.1.2
- 13.x versions from 13.1.0 to 13.1.3
- 12.x versions from 12.1.0 to 12.1.5
- 11.x versions from 11.6.1 to 11.6.5
III. Solution
F5 Networks released versions of the products addressing the vulnerability. Please consider updating to the versions after thorough testing.BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, AWAF, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO)
- 15.1.0.4
- 14.1.2.6
- 13.1.3.4
- 12.1.5.2
- 11.6.5.2
Also, F5 Networks provide workaround such as access restrictions as a way to mitigate the impact caused by the vulnerability. If it is difficult to apply update, please consider applying the workaround.
IV. References
PT Security
F5 fixes critical vulnerability discovered by Positive Technologies in BIG-IP application delivery controller
https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/
SANS ISC InfoSec Forums
CVE-2020-5902 F5 BIG-IP Exploitation Attempt
https://isc.sans.edu/diary/rss/26310
NCC Group
RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence
https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/
If you have any information regarding this alert, please contact JPCERT/CC.
Revision History
2020-07-06 First edition2020-07-14 Updated "I. Overview", "II. Affected Products", "III. Solution" and "IV. References"
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/