Attacker Value

Moderate

CVE-2020-5948 — F5 TMUI XSS vulnerability

Attacker Value

Moderate

(1 user assessed)

Exploitability

Moderate

(1 user assessed)

User Interaction

CVE-2020-5948 — F5 TMUI XSS vulnerability

Disclosure Date: December 11, 2020 •

CVE-2020-5948 CVSS v3 Base Score: 9.6

Description

On BIG-IP versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.2.7, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role.

Add Assessment

hrbrmstr (72)

December 14, 2020 2:12pm UTC (3 years ago)•Edited 3 years ago

Ratings

Attacker Value

Medium

Exploitability

Medium

Common in enterprise Gives privileged access Vulnerable in default configuration Difficult to weaponize Requires user interaction

Technical Analysis

Attacker Value

“Reflected XSS” means an authenticated user has to pass a malicious, specially-crafted URL onto the iControl REST API.

“Undisclosed REST API endpoints” means it will take some time (perhaps, not much, but “it depends” given the black-box nature of F5 kit) to discover these weak entry points.

Once weak REST endpoints are known, an attacker has to get their crafted URL into some context where an F5 REST API user can pass it on in an authenticated context.

It is unlikely F5 users would click on obvious REST API URLs from non-trusted parties (nor that it would do much good depending on how authentication state is maintained). URL shorteners or on-hover cloaking could be used to trick said admins, but then there’s the “an attacker would have to know who are F5 iControl admins” hard part.

There are a handful of third-party iControl REST API projects on GitHub and Docker. It is theoretically possible a highly motivated attacker could target organizations via these projects, but all have a small number of GH stars, which suggests they aren’t super-popular/used.

It is unlikely opportunistic attackers will (a) dedicate resources to discovering the flawed REST API endpoints, and (b) be able to identify F5 iControl users to target.

This may be a useful weakness for more sophisticated attackers performing targeted attacks.

Mitigation

If one cannot patch their systems, F5 has noted that it is possible to mitigate this vulnerability, by permitting management access to F5 products only over a secure network, and limiting access to only trusted users (though these are the users attackers are targeting, so it’s a bit of a head-scratcher).

For more information about securing access to BIG-IP systems, refer to K13309: Restricting access to the Configuration utility by source IP address (11.x – 16.x) and K13092: Overview of securing access to the BIG-IP system.

See More &1 replySee Less

wvu-r7 (437) March 10, 2021 5:50pm UTC (3 years ago)•Edited 3 years ago

Forgot I analyzed this. The patch:

-  private static final List<String> BLACKLIST_FROM_DIV = Arrays.asList(new String[] { "onclick", "ondblclick", "onmousedown", "onmouseup", "onmouseover", "onmousemove", "onmouseout", "onkeypress", "onkeydown", "onkeyup" });
+  private static final List<String> BLACKLIST_KEYWORDS = Arrays.asList(new String[] { "onclick", "ondblclick", "onmousedown", "onmouseup", "onmouseover", "onmousemove", "onmouseout", "onkeypress", "onkeydown", "onkeyup" });

   private boolean isSafeBody(String body) {
     int idx = body.indexOf("\"directiveOption\":");
     while (idx != -1) {
       body = body.substring(idx);
       String str_pattern = "(?<!\\\\)\"";
       Pattern p = Pattern.compile(str_pattern);
       Matcher m = p.matcher(body);
       int idx_opts_end = 0;
       for (int i = 0; i < 4; i++) {
         if (m.find()) {
           idx_opts_end = m.start();
         } else {
           return true;
         } 
       } 
       String opts = body.substring(0, idx_opts_end + 1);
       ArrayList<String> parts = new ArrayList<>(Arrays.asList(opts.split(" ")));
       for (String part : parts) {
-        String[] key_value = part.split("=");
-        String key = key_value[0];
-        for (String keyword : BLACKLIST_FROM_DIV) {
-          if (key.equals(keyword))
+        for (String keyword : BLACKLIST_KEYWORDS) {
+          if (part.contains(keyword))
             return false; 
         } 
       } 
       body = body.substring(idx_opts_end);
       idx = body.indexOf("\"directiveOption\":");
     } 
     return true;
   }

Think it was com/f5/tmui/dashboard/Manager.java. Endpoint should be /tmui/dashboard/manager.jsp. FYI, it took 15 minutes. Cheers!

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.6 Critical

Impact Score:

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Changed

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

Products

big-ip access policy manager,
big-ip access policy manager 16.0.0,
big-ip advanced firewall manager,
big-ip advanced firewall manager 16.0.0,
big-ip analytics,
big-ip analytics 16.0.0,
big-ip application acceleration manager,
big-ip application acceleration manager 16.0.0,
big-ip application security manager,
big-ip application security manager 16.0.0,
big-ip domain name system,
big-ip domain name system 16.0.0,
big-ip fraud protection service,
big-ip fraud protection service 16.0.0,
big-ip global traffic manager,
big-ip global traffic manager 16.0.0,
big-ip link controller,
big-ip link controller 16.0.0,
big-ip local traffic manager,
big-ip local traffic manager 16.0.0,
big-ip policy enforcement manager,
big-ip policy enforcement manager 16.0.0

References

Canonical

CVE-2020-5948 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5948)

Advisory

https://support.f5.com/csp/article/K42696541

Rapid7

Moderate