F5 Networks Warns Of Critical Security Flaw In Networking Devices

Matthew Broersma,
A data centre, storage, server

F5 says BIG-IP application delivery controllers used on many corporate and government networks are vulnerable to takeover by remote attackers

F5 Networks has warned users of its popular BIG-IP line of networking devices to install patches after researchers uncovered a severe security vulnerability.

The BIG-IP application delivery controllers carry out a range of networking tasks, such as load-balancing, application security management and firewall management.

They are routinely used by large companies and government agencies around the world, with F5 saying BIG-IP is used by 48 of the firms on the Fortune 50 list.

F5 said the flaw, designated CVE-2020-5902, could be used by unauthenticated attackers to execute malicious system commands, create or delete files, disable services and execute malicious Java code.

World Password Day: Is the Password Still Fit For Purpose?
World Password Day: Is the Password Still Fit For Purpose?

System compromise

“This vulnerability may result in complete system compromise,” the company said.

BIG-IP devices being used in Appliance mode are also vulnerable, F5 said in its advisory.

The issue is a Remote Code Execution (RCE) bug found in BIG-IP’s configuration utility, the Traffic Management User Interface (TMUI).

F5 published a list of affected BIG-IP software versions and urged users to upgrade to versions that have been patched.

For those unable to do so, the company also provided several temporary workarounds.

The vulnerability, discovered by Positive Technologies researcher Mikhail Klyuchnikov, has been given a rare 10 out of 10 CVSS severity rating.

It can be exploited by sending a malicious HTTP request to a server hosting a vulnerable TMUI version.

Klyuchnikov said systems compromised via the bug could be used to attack other parts of an organisation’s network.

Network breach

“(Remote code execution) in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation,” he said in an advisory.

Klyuchnikov noted that most organisations using BIG-IP do not enable access to the TMUI interface from the internet, making exploitation more difficult.

However, he said Positive had found that more than 8,000 vulnerable devices were nevertheless accessible via the internet as of June 2020, with most being in the US, followed by China and Taiwan.

Klyuchnikov also discovered a second vulnerability in the TMUI that could allow malicious JavaScript to be executed, with successful exploitation leading to a full compromise of the device.

He said web application firewalls can block attackers attempting to exploit either of the bugs.