F5 Networks BIG-IP : TMUI RCE vulnerability (K52145254)

critical Nessus Plugin ID 137918

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.(CVE-2020-5902)

Impact

This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration utility, through the BIG-IP management port and/or self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.

Note : All information present on an infiltrated system should be considered compromised. This includes, but is not limited to, logs, configurations, credentials, and digital certificates.

Important : If your BIG-IP system has TMUI exposed to the Internet and it does not have a fixed version of software installed, there is a high probability that it has been compromised and you should follow your internal incident response procedures. Refer to the Indicatorsof compromise section.

Solution

Upgrade to one of the non-vulnerable versions listed in the F5 Solution K52145254.

See Also

https://support.f5.com/csp/article/K52145254

Plugin Details

Severity: Critical

ID: 137918

File Name: f5_bigip_SOL52145254.nasl

Version: 1.12

Type: local

Published: 7/1/2020

Updated: 2/25/2022

Configuration: Enable paranoid mode

Risk Information

VPR

Risk Factor: Critical

Score: 9.6

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:H/RL:OF/RC:C

CVSS Score Source: CVE-2020-5902

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:f5:big-ip_access_policy_manager, cpe:/a:f5:big-ip_advanced_firewall_manager, cpe:/a:f5:big-ip_application_acceleration_manager, cpe:/a:f5:big-ip_application_security_manager, cpe:/a:f5:big-ip_application_visibility_and_reporting, cpe:/a:f5:big-ip_global_traffic_manager, cpe:/a:f5:big-ip_link_controller, cpe:/a:f5:big-ip_local_traffic_manager, cpe:/a:f5:big-ip_policy_enforcement_manager, cpe:/h:f5:big-ip

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/30/2020

Vulnerability Publication Date: 7/1/2020

CISA Known Exploited Dates: 5/3/2022

Exploitable With

Metasploit (F5 BIG-IP TMUI Directory Traversal and File Upload RCE)

Elliot (F5 BIG-IP Traffic Management User Interface File Disclosure)

Reference Information

CVE: CVE-2020-5902

IAVA: 2020-A-0283-S

CISA-NCAS: AA22-011A