Attacker Value
Moderate
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
3

CVE-2020-5948 — F5 TMUI XSS vulnerability

Disclosure Date: December 11, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated
Validated

Description

On BIG-IP versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.2.7, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2.

Undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role.

Impact

An attacker may exploit this vulnerability using a crafted URL to a reflected cross-site scripting (XSS) in an undisclosed page of the Configuration utility.

Add Assessment

4
Ratings
Technical Analysis

Attacker Value

“Reflected XSS” means an authenticated user has to pass a malicious, specially-crafted URL onto the iControl REST API.

“Undisclosed REST API endpoints” means it will take some time (perhaps, not much, but “it depends” given the black-box nature of F5 kit) to discover these weak entry points.

Once weak REST endpoints are known, an attacker has to get their crafted URL into some context where an F5 REST API user can pass it on in an authenticated context.

It is unlikely F5 users would click on obvious REST API URLs from non-trusted parties (nor that it would do much good depending on how authentication state is maintained). URL shorteners or on-hover cloaking could be used to trick said admins, but then there’s the “an attacker would have to know who are F5 iControl admins” hard part.

There are a handful of third-party iControl REST API projects on GitHub and Docker. It is theoretically possible a highly motivated attacker could target organizations via these projects, but all have a small number of GH stars, which suggests they aren’t super-popular/used.

It is unlikely opportunistic attackers will (a) dedicate resources to discovering the flawed REST API endpoints, and (b) be able to identify F5 iControl users to target.

This may be a useful weakness for more sophisticated attackers performing targeted attacks.

Mitigation

If one cannot patch their systems, F5 has noted that it is possible to mitigate this vulnerability, by permitting management access to F5 products only over a secure network, and limiting access to only trusted users (though these are the users attackers are targeting, so it’s a bit of a head-scratcher).

For more information about securing access to BIG-IP systems, refer to K13309: Restricting access to the Configuration utility by source IP address (11.x – 16.x) and K13092: Overview of securing access to the BIG-IP system.

CVSS V3 Severity and Metrics
Base Score:
9.6 Critical
Impact Score:
6
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Products

  • BIG-IP

Additional Info

Technical Analysis