The U.S. Cybersecurity and Infrastructure Security Agency is warning that threat actors are actively exploiting a remote code execution vulnerability in F5’s BIG-IP network products that can allow attackers to exfiltrate data, access networks, carry out commands, create or delete files and disable services.
Earlier, security researchers, F5 and the U.S. Cyber Command urged users to patch the vulnerability in BIG-IP networking products, which is tracked as CVE-2020-5902. Security firm Expanse warned that some 8,000 installations remained unpatched for this flaw (see: Thousands of Flawed F5 BIG-IP Networking Products Unpatched).
CISA, which is part of the U.S. Department of Homeland Security, notes in its warning that since July 6, threat actors have been scanning and conducting reconnaissance looking for vulnerable installations of BIG-IP installations, and now some attackers are beginning to exploit the vulnerability.
CISA has confirmed that so far, two organizations have been compromised, but it’s investigating other attacks, according to the alert.
“CISA has conducted incident response engagements at U.S. government and commercial entities where malicious cyber threat actors have exploited CVE-2020-5902 – an RCE vulnerability in the BIG-IP Traffic Management User Interface (TMUI) – to take control of victim systems,” according to the alert issued Friday.
CISA did not offer more details, but it explained that proof-of-concept exploits have been available for this vulnerability for several weeks.
Widely Used Products
When the vulnerability was first disclosed on July 3, CVE-2020-5902 received a 10 out of 10 score on the CVSSv3 severity scale, which is one reason government agencies such as the U.S. Cyber Command and the MS-ISAC Center for Internet Security issued advisories urging prompt patching for the vulnerability (see: Patching Urged as F5 BIG-IP Vulnerability Exploited).
Several major banks, government agencies as well as internet service providers around the world use the BIG-IP networking products, along with Microsoft and Oracle.
The CVE-2020-5902 vulnerability is located within the management port located in the Traffic Management User Interface, according to security firm Positive Technologies, which discovered the vulnerability and brought it to the attention of F5 earlier this month.
In its alert, CISA notes that it expects to see more attacks exploiting unpatched F5 BIG-IP networking products and strongly urges users and administrators to upgrade their systems and apply patches when possible.
In addition to urging organizations to patch, CISA provides detection measures and mitigation strategies. It recommends administrators check the F5 security advisory for indicators of compromise and use F5’s CVE-2020-5902 IoC Detection Tool to check for possible exploitation. The agency also recommends organizations quarantine or take offline systems that have potentially been affected by an exploit.
For organizations that have had their BIG-IP network products compromised, CISA recommends several steps to help mitigate the risks, including:
- Reimage compromised hosts;
- Provision new account credentials;
- Limit access to the management interface to the fullest extent possible;
- Implement network segmentation