A remote code execution vulnerability %%cve:2020-5902%% in F5’s BIG-IP with CVSS score 10 is actively exploited.
Vulnerable versions are:
A directory traversal in the Traffic Management User Interface (TMUI) allows upload and execution of scripts (as root) by unauthenticated attackers.
F5 has released patched versions:
F5’s KB article K52145254: TMUI RCE vulnerability CVE-2020-5902.
We have observed Internet scans for this vulnerability. Remark that an attack over the Internet requires that F5’s BIG-IP control plane is exposed to the Internet (there are 8400+ F5 systems on the Internet according to Shodan).
Several exploits and a Metasploit module for this vulnerability are public.
There is also a sigma rule and an nmap script (remark: not released by nmap).
We recommend to patch this vulnerability immediately if you expose the TMUI to the Internet, and if you can not do that, remove direct access to the TMUI from the Internet if you expose it.
In any case, go over your logs to identify exploitation attempts (F5 published the KB July 1st, and first exploitation attempts on te Internet were observed starting July 3rd): look for “..;” in the URLs. If you use grep (or another tool with regular expressions) to search through your logs, remember that . matches any character: use a fixed string (option -F in grep).
And let me close with Johannes closing remark on today’s StormCast: “… certainly make sure that the management plane is not exposed to the public Internet, who knows when the next vulnerability in this feature will be found!”
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.