F5 Networks, one of the world’s largest provider of enterprise networking gear and application services, has issued a security advisory this week warning enterprises and governments across the world to immediately patch a critical vulnerability that is very likely to be exploited.
With a CVSS score of 10 out of 10, the critical vulnerability, tracked as CVE-2020-5902, is affecting F5’s BIG-IP networking devices running application security servers. These multi-purpose networking devices, widely used by large enterprises and governments, have a variety of functions, including application acceleration, load balancing, rate shaping, SSL offloading, and web application firewall.
According to Mikhail Klyuchnikov, a security researcher at Positive Technologies who discovered and reported the vulnerability, the flaw is in a configuration utility called Traffic Management User Interface (TMUI) for BIG-IP application delivery controller (ADC).
Attackers can exploit the critical ‘remote code execution’ vulnerability to gain access over the TMUI component, which runs on top of a Tomcat server on BIG-IP’s Linux-based operating system.
The dangerous vulnerability’s CVSS score of 10 out of 10 means that cybercriminals can easily exploit and automate the flaw. The exploit does not require valid credentials or advanced coding skills.
A successful exploit can allow attackers to create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network — and eventually, gain full control over the BIG-IP device.
Detect F5 BIG-IP Exploitation Attempt
With this free Sigma threat detection rule, you can detect the exploitation attempt of the critical vulnerability in F5 BIG-IP and described in CVE-2020-5902.
title: CVE-2020-5902 F5 BIG-IP Exploitation Attempt
description: Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
author: Francesco Marcini
condition: selection_base and selection_traversal
To apply this detection rule, you can convert it to your SIEM language. It is also recommended to update BIG-IP to the latest version. More information available here.
You can also detect CMSTP.exe with INF files infected with malicious commands with our previous free Splunk detection rule.
Secure Your Organization’s Mind with Securemind.se