BIG-IP Load Balancer Vulnerability Overview
This threat report is about a vulnerability that affects F5 Network’s BIG-IP application services load balancers. The vulnerability has a CVE assignment of CVE-2020-5902.
Successful exploitation may allow a bad actor to perform remote code execution at a heightened privilege level.
There are patches available and a system hardening recommendation as well.
Tactics, Techniques, and Procedures to Exploit BIG-IP Vulnerability
CVE-2020-5902 is a vulnerability with the TMUI (Traffic Management User Interface), which is a key configuration utility within the system.
The vulnerability can be exploited by both authenticated and unauthenticated attackers using the designated management port. The attacker can execute system commands and modify the system in a myriad of ways which may result in a total compromise of the BIG-IP.
Systems in appliance mode are also affected by this vulnerability.
See the table below for the proper upgrade tree.
If the patch cannot be applied or your version lacks a proper patch, consider implementing the workaround found in the recommendations section of this document.
What the F5 BIG-IP Load Balancer Vulnerability This Means to You
- May lead to unauthorized changes to your BIG-IP F5 appliance.
- May provide a foothold for bad actors to engage in traffic shaping on your critical assets.
What You Can do About this BIG-IP Vulnerability
We recommend you implement the patch to avoid possible successful exploitation of the BIG-IP load balancer vulnerability.
You should also block external access to the TMUI pages on your F5 appliance.
This workaround may help as a stopgap measure:
- Log in to the TMOS Shell (tmsh) by entering the following command: tmsh
- Edit the httpd properties by entering the following command: edit /sys httpd all-properties
- Locate the include section and add the following:
- include ‘
- <LocationMatch “.*\.\.;.*”>
- Redirect 404 /
- Write and save the changes to the configuration file by entering the following commands:
- Save the configuration by entering the following command: save /sys config
- Restart the httpd service by entering the following command: restart sys service httpd
Sources and Additional Information
- MITRE Mapping(s)
Other useful information:
Managing alerts and responding to incidents are the most dramatic and visible aspects of cybersecurity. But maintaining the tactical actions of a buzzing “alert factory” is not enough to protect a business long-term.
Learn why much of modern security ops function at a strategic level for threat-based security and how to apply this to your SecOps.