JPCERT-AT-2020-0028 JPCERT/CC 2020-07-06(Initial) 2020-07-14(Update) <<< JPCERT/CC Alert 2020-07-06 >>> Alert Regarding Vulnerability (CVE-2020-5902) in Multiple BIG-IP Products https://www.jpcert.or.jp/english/at/2020/at200028.html I. Overview On July 1, 2020 (Local Time), F5 Networks has released information regarding vulnerability (CVE-2020-5902) in multiple BIG-IP products. An unauthenticated remote attacker leveraging the vulnerability may execute arbitrary code via the affected product's Traffic Management User Interface (TMUI). As a result, these products may be used as a stepping-stone to further attack activities. For more information on the vulnerability, please refer to the information provided by F5 Networks. F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 https://support.f5.com/csp/article/K52145254 JPCERT/CC confirmed the Proof-of-Concept codes had already been made public, and also observed the information of scanning activities targeting the vulnerability and traffic which appeared to exploit this vulnerability. Users of affected products are recommended to take measures as soon as possible. ** Update: July 14, 2020 Update ************************************* "II. Affected Products" and "III. Solution" on this alert were updated as the F5 Networks advisory had been updated. As for the details and latest information, please refer to the information provided by F5 Networks. Also, F5 Networks has provided information which can be referred when the product owners investigate if their system has been compromised. Since scans and exploits regarding this vulnerability have been continuously observed in the wild, it is recommended to investigate system compromise as well as implement the solution for this vulnerability. Please refer to the above F5 Networks advisory or the information below. F5 Networks K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system https://support.f5.com/csp/article/K11438344 ********************************************************************** II. Affected Products The following products and versions are affected by the vulnerability: BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, AWAF, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) - 15.x versions from 15.0.0 to 15.1.0 - 14.x versions from 14.1.0 to 14.1.2 - 13.x versions from 13.1.0 to 13.1.3 - 12.x versions from 12.1.0 to 12.1.5 - 11.x versions from 11.6.1 to 11.6.5 III. Solution F5 Networks released versions of the products addressing the vulnerability. Please consider updating to the versions after thorough testing. BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, AWAF, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) - 15.1.0.4 - 14.1.2.6 - 13.1.3.4 - 12.1.5.2 - 11.6.5.2 Also, F5 Networks provide workaround such as access restrictions as a way to mitigate the impact caused by the vulnerability. If it is difficult to apply update, please consider applying the workaround. IV. References PT Security F5 fixes critical vulnerability discovered by Positive Technologies in BIG-IP application delivery controller https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/ SANS ISC InfoSec Forums CVE-2020-5902 F5 BIG-IP Exploitation Attempt https://isc.sans.edu/diary/rss/26310 NCC Group RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/ If you have any information regarding this alert, please contact JPCERT/CC. ________ Revision History 2020-07-06 First edition 2020-07-14 Updated "I. Overview", "II. Affected Products", "III. Solution" and "IV. References" ====================================================================== JPCERT Coordination Center (Early Warning Group) MAIL: ew-info@jpcert.or.jp https://www.jpcert.or.jp/english/