F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902) Threat Alert

F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902) Threat Alert

July 24, 2020 | Adeline Zhang

Vulnerability Description

Recently, NSFOCUS detected that F5 had updated its security advisory on the Traffic Management User Interface (TUMI) remote code execution vulnerability (CVE-2020-5902). The affected 15.x versions were changed to 15.0.0–15.1.0, and bypassable workarounds and validation methods were updated. By accessing the TUMI via the BIG-IP management port or their own IP addresses, unauthenticated attackers could craft malicious requests to obtain the privileges of target servers. The vulnerability has a CVSS score of 10. Currently, msf has integrated the exploit of the vulnerability. Users affected by the vulnerability are advised to take measures as soon as possible.

F5 BIG-IP is an F5 application delivery platform that integrates the functions of network traffic management, application security management, and load balancing.

NSFOCUS reproduced the vulnerability shortly after it was reported:

File read:

Remote code execution:

Reference link:

https://support.f5.com/csp/article/K52145254

Scope of Impact

Affected Versions

  • F5 BIG-IP 15.x:15.0.0 – 15.1.0
  • F5 BIG-IP 14.x:14.1.0 – 14.1.2
  • F5 BIG-IP 13.x:13.1.0 – 13.1.3
  • F5 BIG-IP 12.x:12.1.0 – 12.1.5
  • F5 BIG-IP 11.x:11.6.1 – 11.6.5

Unaffected Versions

  • F5 BIG-IP 15.x:15.1.0.4
  • F5 BIG-IP 14.x:14.1.2.6
  • F5 BIG-IP 13.x:13.1.3.4
  • F5 BIG-IP 12.x:12.1.5.2
  • F5 BIG-IP 11.x:11.6.5.2

Check for the Vulnerability

Version Check

(1) Run the following command in +TMOS shell (tmsh) to check the current version:

show /sys version

(2) Alternatively, log in to the Web management interface to check the current BIG-IP version:

If it is within the scope of impact, the version is vulnerable.

Detection with NSFOCUS Products

NSFOCUS Remote Security Assessment System (RSAS) and Web Vulnerability Scanning System (WVSS) are capable of scanning and detecting the vulnerability (CVE-2020-5902). Please upgrade them to the latest versions.

 VersionDownload Link
RSAS V6 system plug-in packageV6.0R02F01.1902http://update.nsfocus.com/update/downloads/id/106313
RSAS V6 web plug-in packageV6.0R02F00.1801http://update.nsfocus.com/update/downloads/id/106314
WVSS 6.0 plug-in upgrade packageV6.0R03F00.167http://update.nsfocus.com/update/downloads/id/106312

For how to configure NSFOCUS RSAS, click the following link:

https://mp.weixin.qq.com/s/aLAWXs5DgRhNHf4WHHhQyg

Mitigation

  • IV.1  Official Fix

Currently, F5 has fixed this vulnerability in the latest version. Affected users are advised to upgrade as soon as possible by downloading the version from the following link: https://support.f5.com/csp/article/K9502.

For upgrade guide and notes, please visit https://support.f5.com/csp/article/K13123.

  • Workarounds

If it is impossible to upgrade currently, users can take the following mitigation measures:

(1) In order to prevent unauthenticated attackers from exploiting the vulnerability, it is advised to add the configuration element LocationMatch to httpd (which can be locally performed via a command or remotely via the iControl REST interface). The procedure is as follows:

a. Log in to TMOS Shell (tmsh) by running the following command:

tmsh

b. Modify the httpd configuration file by running the following command:

edit /sys httpd all-properties

c. Modify the content of <include> as follows:

include ‘ <LocationMatch “;”> Redirect 404 / </LocationMatch> <LocationMatch “hsqldb”> Redirect 404 / </LocationMatch> ‘

d. Press Esc and input the following command to save modifications to the configuration file:

:wq!

e. Run the following command to save the changes:

save /sys config

f. Run the following command to restart the httpd service and make the modified configuration file take effect:

restart sys service httpd

(2) Users are advised to deny TMUI access to external IP addresses or allow TMUI access for administrators only in a secure network environment.

Note: The vulnerability cannot be completely mitigated by the aforesaid two methods and may still be exploited by authenticated users who have access to TMUI.

(3) The Self IPs policy can be used to block all access to TMUI of the BIG-IP system. The procedure is as follows:

Change the setting of Port Lockdown in each Self IP of the system into Allow None. If ports must be opened, Allow Custom can be used, and access to the TMUI port must be prohibited.

Note: The third method can prevent all access to the TMUI/Configuration utility via the Self IP, but it may affect other services.

Verification method

Users can access the following URLs to verify whether the mitigation measures are effective:

https://[IP ADDRESS]/tmui/login.jsp/..;/login.jsp

https://[IP ADDRESS]/hsqldb%0a

If the mitigation measures are successful, a 404 response will be received.

  • Protection with NSFOCUS Products

The current rule (No. 27526188) of NSFOCUS Web Application Firewall (WAF) can protect against the vulnerability. Users are advised to update the rules as soon as possible to enable the product to provide effective protection. The following table lists rule library versions of NSFOCUS WAF.

 VersionDownload Link
WAF 6.0.4.0 rule library update package6.0.4.1.45556http://update.nsfocus.com/update/downloads/id/106064
WAF 6.0.7.0 rule library update package6.0.7.0.45556http://update.nsfocus.com/update/downloads/id/106063
WAF 6.0.7.1 rule library update package6.0.7.1.45556http://update.nsfocus.com/update/downloads/id/106061

For how to update product rules, click the following link:

https://mp.weixin.qq.com/s/oubjPqR4DURWPvrQ9W9mWA

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.