Morioh
Login
Eloisa Schulist

Eloisa Schulist

3 years ago

Less than 500 machines have been patched since U.S. Cyber Command issued an alert to patch a critical bug that’s under active exploit.

About 8,000 users of F5 Networks’ BIG-IP family of networking devices are still vulnerable to full system access and remote code-execution (RCE), despite a patch for a critical flaw being available for two weeks.

The BIG-IP family consists of application delivery controllers, Local Traffic Managers (LTMs) and domain name system (DNS) managers, together offering built-in security, traffic management and performance application services for private data centers or in the cloud.

At the end of June, F5 issued urgent patches for a critical RCE flaw (CVE-2020-5902), which is present in the Traffic Management User Interface (TMUI) of the company’s BIG-IP app delivery controllers. The bug has a CVSS severity score of 10 out of 10, and at the time of disclosure, Shodan showed that there were almost 8,500 vulnerable devices exposed on the internet.

Shortly after disclosure, public exploits were made available for it, leading to mass scanning for vulnerable devices by attackers, and ultimately active exploits.

“CVE-2020-5902 received the highest vulnerability rating of critical from the National Vulnerability Database due to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,” Expanse researchers noted in an advisory issued on Friday. “It was deemed so critical that U.S. Cyber Command issued a tweet on the afternoon of July 3, recommending immediate patching despite the holiday weekend. While F5 did not release a proof of concept (PoC) for the exploit, numerous PoCs began appearing on July 5.”

Fast-forward to two weeks later, and patches have rolled out to less than 500 of that original group of vulnerable machines, according to the analysis. Expanse researchers said that as of July 15, there were at least 8,041 vulnerable TMUI instances still exposed to the public internet.

The stakes are high, as one would expect from a critical-rated bug: “The vulnerability CVE-2020-5902 allows for the execution of arbitrary system commands on vulnerable BIG-IP devices with an exposed and accessible management port via the TMUI,” explained the researchers. “This vulnerability could provide complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serve as a hop point into other areas of the network.”

To boot, an additional bug, CVE-2020-5903, affects the same vulnerable management interface via a cross-site scripting vulnerability (XSS) that Expanse said could also be leveraged to include RCE.

#cloud security #security vulnerability #cloud

Thousands of Vulnerable F5 BIG-IP Users Still Open to Takeover

threatpost.com

Thousands of Vulnerable F5 BIG-IP Users Still Open to Takeover

Less than 500 machines have been patched since U.S. Cyber Command issued an alert to patch a critical bug that's under active exploit.

1.10 GEEK