Moderate
CVE-2020-5948 — F5 TMUI XSS vulnerability
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-5948 — F5 TMUI XSS vulnerability
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
On BIG-IP versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.2.7, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role.
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityMedium
Technical Analysis
Attacker Value
“Reflected XSS” means an authenticated user has to pass a malicious, specially-crafted URL onto the iControl REST API.
“Undisclosed REST API endpoints” means it will take some time (perhaps, not much, but “it depends” given the black-box nature of F5 kit) to discover these weak entry points.
Once weak REST endpoints are known, an attacker has to get their crafted URL into some context where an F5 REST API user can pass it on in an authenticated context.
It is unlikely F5 users would click on obvious REST API URLs from non-trusted parties (nor that it would do much good depending on how authentication state is maintained). URL shorteners or on-hover cloaking could be used to trick said admins, but then there’s the “an attacker would have to know who are F5 iControl admins” hard part.
There are a handful of third-party iControl REST API projects on GitHub and Docker. It is theoretically possible a highly motivated attacker could target organizations via these projects, but all have a small number of GH stars, which suggests they aren’t super-popular/used.
It is unlikely opportunistic attackers will (a) dedicate resources to discovering the flawed REST API endpoints, and (b) be able to identify F5 iControl users to target.
This may be a useful weakness for more sophisticated attackers performing targeted attacks.
Mitigation
If one cannot patch their systems, F5 has noted that it is possible to mitigate this vulnerability, by permitting management access to F5 products only over a secure network, and limiting access to only trusted users (though these are the users attackers are targeting, so it’s a bit of a head-scratcher).
For more information about securing access to BIG-IP systems, refer to K13309: Restricting access to the Configuration utility by source IP address (11.x – 16.x) and K13092: Overview of securing access to the BIG-IP system.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- f5
Products
- big-ip access policy manager,
- big-ip access policy manager 16.0.0,
- big-ip advanced firewall manager,
- big-ip advanced firewall manager 16.0.0,
- big-ip analytics,
- big-ip analytics 16.0.0,
- big-ip application acceleration manager,
- big-ip application acceleration manager 16.0.0,
- big-ip application security manager,
- big-ip application security manager 16.0.0,
- big-ip domain name system,
- big-ip domain name system 16.0.0,
- big-ip fraud protection service,
- big-ip fraud protection service 16.0.0,
- big-ip global traffic manager,
- big-ip global traffic manager 16.0.0,
- big-ip link controller,
- big-ip link controller 16.0.0,
- big-ip local traffic manager,
- big-ip local traffic manager 16.0.0,
- big-ip policy enforcement manager,
- big-ip policy enforcement manager 16.0.0
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Forgot I analyzed this. The patch:
Think it was
com/f5/tmui/dashboard/Manager.java
. Endpoint should be/tmui/dashboard/manager.jsp
. FYI, it took 15 minutes. Cheers!