Threat Actors Bypass Mitigation for F5 BIG-IP RCE Flaw
I. Targeted Industries
- Higher Education
- Public/Private Education
- Finance and Insurance
- E-commerce Sites
- Small-Medium Businesses
In early June, researchers at F5 Networks communicated a critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2020-5902, which resides on the undisclosed pages of the Traffic Management User Interface (TMUI) of the BIG-IP product. To mitigate this vulnerability, F5 Networks originally recommended upgrading to patched software version; however, threat actors began their exploitation before the public was aware of the mitigation technique. Due to this vulnerability, any unauthenticated hackers or authenticated users who are within the network can access the TMUI, via the BIG-IP management port and/or Self IPs. This issue had a large impact on the control plane, but the data plane remains unaffected.
III. Background Information
F5’s BIG-IP load balancer has evolved into a platform that delivers services required by complex applications. Applications dealing with security, availability, mobility, and access and identity management are at risk. BIG-IP validates the authenticity of end-users and mitigates threats at the application level. The exploitation of a BIG-IP vulnerability can be detrimental to applications, organizations, and most importantly, data. Security experts have discovered a technique to bypass mitigation procedures to exploit the vulnerability in BIG-IP. Software vulnerabilities are rated using the Common Vulnerability Scoring System (CVSS) framework and assign a risk level ranging from 0.0 to 10.0. The CVSS for BIG-IP has been scored a 10, asserting a critical risk level. BIG-IP’s CVE-2020-5902 vulnerability allows unauthorized access to users, which attackers can exploit to gain access to the TMUI component to execute arbitrary system commands, disable services, execute arbitrary Java code, and create or delete files, and they can potentially take over the BIG-IP device. Since the public release of the vulnerability, security experts have reported an increase in exploitation efforts, which enabled threat actors to identify a bypass method for the mitigation processes.
IV. MITRE ATT&CK
- Exploitation of Remote Services
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. The exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or the kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is the lateral movement to enable access to a remote system.
- Exploitation for Client Execution
Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to applications commonly used to perform work activities, so they are a useful target for exploit research and development because of their high utility.
- Exploit Public-Facing Application
Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites but can include databases (like SQL), standard services (like SMB or SSH), and any other applications with Internet-accessible open sockets, such as web servers and related services.
- Command and Script Interpreters
- Patch Updates
Update consistently and patch vulnerabilities.
- Incorporate Known IOCs into IDS
Incorporate the known IOCs of the attack into your intrusion detection system (IDS) to catch any suspicious behavior related to the attack.
- Run this command to check weblogs for any compromises
Any commands run for this exploitation (shown in our IOCs) can be identified using this command): journalctl /bin/logger|grep ‘”/hsqldb’.
- Restrict Access
Restrict all access to self IPs and management interface and only allow management access via a secure network.
- Recommended Article: https://support.f5.com/csp/article/K52145254
VI. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) F5 BIG-IP Platform Security. Accessed July 9, 2020. https://www.f5.com/services/resources/white-papers/f5-big-ip-platform-security.
(2) Paganini, Pierluigi. “Threat Actors Found a Way to Bypass Mitigation F5 BIG-IP CVE-2020-5902 Flaw.” Security Affairs, July 8, 2020. https://securityaffairs.co/wordpress/105662/hacking/f5-big-ip-flaw-mitigation-bypass.html?utm_source=feedly.