F5 Networks has announced a critical vulnerability in security systems that are frequently used by customers in the DMZ. Successful exploitation of this vulnerability enables attackers to run arbitrary code with administrator rights on the target system. The code is simply sent as a specially formatted query to the Traffic Management User Interface without the need for any previous authentication.
The Traffic Management User Interface (TMUI), also known as Configuration Utility, is susceptible to a Remote Code Execution Vulnerability (CVE-2020-5902). Proof-of-concept exploit codes are already making the rounds which means the vulnerability has already been exploited. There is, therefore, an urgent need to take action.
The vulnerability affects all Big-IP systems up to and including version 15.x. Version 16.x is not affected.
BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, AWAF, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO)
|15.x||15.0.0 - 15.1.0||184.108.40.206|
|14.x||14.1.0 - 14.1.2||220.127.116.11|
|13.x||13.1.0 - 13.1.3||18.104.22.168|
|12.x||12.1.0 - 12.1.5||22.214.171.124|
|11.x||11.6.1 - 11.6.5||126.96.36.199|
Install the corresponding security updates as soon as possible.
If the Traffic Management User Interface could be accessed from the internet, there is a very high probability that the system has already been compromised. The F5 Knowledge Base article about this vulnerability (Indications of Compromise) provides additional information on how to detect a compromise. If there is any uncertainty, the affected system should be reset. More information can be found in the F5 article Considerations and guidance when you suspect a security compromise on a BIG-IP system.