Security Advisory: F5 BIG-IP Critical Severity RCE Vulnerability CVE-2020-5902

Updated on July 7th, 2020: The Cyber Fusion Center has learned that the original mitigation guidance provided by F5 was incomplete and has been bypassed. If organizations leveraged the mitigation guidance in this advisory previously, the CFC recommends that devices be patched as soon as possible. Organizations should leverage the updated mitigation in this advisory only as a last resort and plan to upgrade to a non-vulnerable version as soon as possible. The CFC also strongly recommends that organizations who deployed F5’s prior mitigation guidance (originally included in this advisory) should assume any F5 systems with public facing configuration / management interfaces have already been compromised and perform an immediate forensic investigation.

Updated on July 6th, 2020: to reflect that there are now several public Proof Of Concept (POC) exploits available on github and other repositories. Due to the availability of such PoC exploits and the due to the vulnerability being trivially exploitable, the CFC expects to see mass exploitation of this vulnerability in the next 24 hours. For clients without CFC Threat Monitoring, we strongly recommend organizations assume any public-facing F5 systems have already been compromised and perform an immediate forensic investigation.

Summary

On June 30th, 2020 F5 Networks published a security advisory that disclosed a critical severity Remote Code Execution (RCE) vulnerability exists within the configuration user interface (called TMUI) for several F5 BIG-IP systems. This vulnerability, assigned a CVSS score of 10.0 due to its exploitability and impact, could allow remote unauthenticated attackers who exploit this vulnerability to create or delete files, change the state of services, and/or run arbitrary Java code. Such access leads to full system compromise.

As of July 6^th, 2020, there have been several Proof Of Concept (PoC) exploits released on Github and twitter. The Cyber Fusion Center expects to see mass exploitation of this vulnerability with in the next 24 hours. Based on the Cyber Fusion Center’s analysis of several PoCs, we’ve determined that a single HTTP web request is all that is necessary to run arbitrary commands on F5 systems as root.

Once exploited, complete access to the affected F5 system could allow a sophisticated attacker to leverage the appliances privileged network location to compromise additional systems, monitor or tamper with sensitive network data, or establish a difficult to detect foothold within the environment.

This vulnerability affects all BIG-IP modules for BIG-IP 15.1.0 versions earlier than BIG-IP 15.1.0.4; all versions in the 15.0.0 branch; BIG-IP 14.X versions earlier than BIG-IP 14.1.2.6; BIG-IP 13.X versions earlier than 13.1.3.4;. This vulnerability does not affect BIG-IQ Centralized Management or Traffix SDC.

The Cyber Fusion Center strongly recommends that all BIG-IP versions be upgraded, or the mitigation steps described in this document be taken as soon as possible. For clients without CFC Threat Monitoring, we strongly recommend organizations assume any public facing F5 systems have already been compromised and perform an immediate forensic investigation.

Affected Versions of F5 BIG-IP Software

The table below outlines major F5 BIG_IP software releases and the minor or patch versions affected by this issue:

Major Version Number	Affected	Unaffected
15.X	<= 15.1.0.3	15.1.0.4
15.X	15.0.0	No version in this branch
14.X	<= 14.1.2.5	14.1.2.6
13.X	<= 13.1.3.3	13.1.3.4
12.X	<= 12.1.5.1	12.1.5.2
11.X	<= 11.6.5.1	11.6.5.2

Required Configuration for Vulnerability Exposure

This vulnerability is exploitable only on BIG-IP systems running versions identified as affected in the table above. Additionally, to be exploitable, the systems must not have a custom “LocationMatch” configuration statement configured in the http daemon (httpd) web server.

This vulnerability cannot be exploited if:

Running a BIG-IP version identified as unaffected in the table above.
(Updated July 7^th) httpd is configured to take action on the “LocationMatch” string of “;”.
Self IP addresses are configured to not permit TCP 443 connections.

For additional details, please see the F5 Networks Knowledge Base article “K13092: Overview of securing access to the BIG-IP system”

Solution

The Cyber Fusion Center strongly recommends upgrading to an unaffected version of BIG-IP software. This vulnerability is resolved in the following BIG-IP software versions:

11.6.5.2
12.1.5.2
13.1.3.4
14.1.2.6
15.1.0.4

Workarounds and Mitigations

Note: The the workaround section below has been updated on July 7^th, 2020 to include new guidance from F5 and the Cyber Fusion Center. The original mitigation steps provided by F5 were incomplete and have been bypassed.

The Cyber Fusion Center strongly recommends upgrading to BIG-IP software versions identified as unaffected in the table above. However, if upgrading is not possible at this time, there are some temporary mitigation steps that can be taken.

Overview of steps to secure all interfaces:

Login to the command line interface
Enter the traffic management shell (tmsh) by executing the command: tmsh
Enter the system editor for the https process by typing::

edit /sys httpd all-properties

(Updated July 7^th, 2020) In the portion of the configuration labeled “include” input the following syntax:

include '
<LocationMatch ";">
Redirect 404 /
</LocationMatch>
'

Save the changes to the file by pressing the “Esc” on your keyboard and then typing:

:wq!

Save the BIG-IP configuration by executing the command:

save /sys config

Finally, restart the httpd process by typing the command:

restart sys service httpd

Overview of steps to secure self IP addresses:

Login to the TMUI and navigate to Network >> Self IPs
Select the desired Self IP
Change the “Port Lockdown” configuration to “Allow None”
Click the “Update” button

Important: Repeat steps 2 through 4 until all self IPs are configure to “Allow None”. This change may impact other services. Create custom port configuration as needed. Not allowing access to port 443 on BIG-IP self IP addresses will prevent access to the TMUI.

Overview of steps to secure the TMUI:

Login to the command line interface
Enter the traffic management shell (tmsh) by executing the command:

tmsh

Add IP addresses or subnets to the current allowed list by typing the following command:

modify /sys httpd allow add { <IP address> }

Note: Multiple IP addresses can be added in this one line by separating them with a space. Subnets may be used by annotating the network address and subnet mask like:
192.168.0.0/255.255.255.0.

Save the BIG-IP configuration by executing the command:

save /sys config

Note: Even with this mitigation applied, users who can successfully authenticate on the BIG-IP system will still have the ability to exploit this vulnerability regardless of their privilege level.

Important (July 7^th, 2020): If you leveraged the original mitigation guidance provided by F5 (and included in our original advisory) above you should update the LocationMatch match string as soon as possible.

Update the LocationMatch directive as follows:

Change the following section of the httpd configuration (original mitigation provided):

<LocationMatch ".*\.\.;.*">

To this new updated LocationMatch directive:

<LocationMatch ";">

Detection Guidance

The Cyber Fusion Center strongly recommends that organizations search for the following patterns in network traffic or log data.

Path Traversal Patterns:

Use the URLs below to create patterns in network or log based detection tooling:

Snort / Suricata Patterns:

/tmui/login.jsp/..|3b|/

URI pattern:

/tmui/login.jsp/..;/

URI pattern (URL encoded):

%2Ftmui%2Flogin.jsp%2F..%3B%2F

HTTP requests to the following (partial) URIs:

Use the partial URIs below to search for exploitation in HTTP web logs or network based tooling:

Attempts to read files:

/tmui/locallb/workspace/fileRead.jsp?fileName=

Attempts to execute arbitrary Commands:

/tmui/locallb/workspace/tmshCmd.jsp?command=

Public / Open Source Intrusion Detection System Rules:

Emerging Threats (ET), operated by ProofPoint has publically released detection rules intended to identify the potential exploitation of a vulnerable F5 system.

Note: The Cyber Fusion Center did not write these rules and does not maintain or update them.