DESCRIPTION:
F5 has patched a critical remote-code execution (RCE) vulnerability (CVE-2020-5902) in its BIG-IP application delivery controller (ADC) that puts many of the world’s biggest companies at risk.
To exploit it, an attacker needs to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration. Successful exploitation of the vulnerability could allow intruders to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code -- and eventually lead to attackers gaining full control over the BIG-IP device.
F5 has also fixed a vulnerability that could lead to cross-site scripting (XSS) attacks in the BIG-IP configuration interface. XSS vulnerability CVE-2020-5903 (score: 7.5) enables running malicious JavaScript code as the logged-in user. If the user has administrator privileges and access to Advanced Shell (bash), successful exploitation can lead to a full compromise of BIG-IP via RCE.
AFFECTED RELEASES:
BIG-IP 15.x: 15.1.0/15.0.0
BIG-IP 14.x: 14.1.0 ~ 14.1.2
BIG-IP 13.x: 13.1.0 ~ 13.1.3
BIG-IP 12.x: 12.1.0 ~ 12.1.5
BIG-IP 11.x: 11.6.1 ~ 11.6.5
SOLUTION:
1. Users and system administrators of affected products are advised to upgrade to a fixed software version to fully mitigate this vulnerability.
2. If it is not possible to upgrade at this time, using the following sections as temporary mitigations:
• All TMUI interfaces: addresses unauthenticated attackers on all interfaces
• Self IPs: addresses unauthenticated and authenticated attackers on self-IPs, by blocking all access
• Management interface: addresses unauthenticated attackers on the management interface, by restricting access
REFERENCE:
1.https://support.f5.com/csp/article/K52145254
2.https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/