Thousands of Flawed F5 BIG-IP Networking Products UnpatchedVulnerability Can Allow Remote Code Execution
Despite warnings from security researchers and U.S. Cyber Command earlier this month, thousands of users have not yet patched their F5 BIG-IP networking products to fix a critical vulnerability that could allow for remote code execution, according to security firm Expanse.
During recent scans, Expanse researchers found about 8,000 F5 BIG-IP networking installations remained unpatched for a vulnerability tracked as CVE-2020-5902, which could allow hackers to access networks, carry out commands, create or delete files, disable services and run remote code execution.
The CVE-2020-5902 vulnerability received a 10 out of 10 score on the CVSSv3 severity scale, which prompted the U.S. Cyber Command and the MS-ISAC Center for Internet Security to issue advisories urging prompt patching (see: Patching Urged as F5 BIG-IP Vulnerability Exploited).
When the vulnerability was first disclosed on July 3, security researchers using the Shodan search engine estimated there were as many as 8,500 F5 BIG-IP networking product installations exposed to this particular vulnerability, which means most of these users have not applied the fix over the last three weeks.
"This vulnerability could provide complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers and serve as a hop point into other areas of the network," according to the recent warning from Expanse.
BIG-IP networking products are used by major banks, government agencies, internet service providers and Fortune 500 firms, including Microsoft and Oracle.
The products include a number of components, such as load balancers, access gateways and application delivery controllers. The CVE-2020-5902 vulnerability is located within the management port located in the Traffic Management User Interface, according to security firm Positive Technologies, which discovered the vulnerability and brought it to the attention of F5.
When the flaw was first disclosed over the July 4th holiday weekend, Rich Warren, a researcher with security firm NCC Group, reported that his company's honeypots had found an uptick in remote code execution attempts targeting the BIG-IP vulnerability, with a majority apparently originating in China.
At around the same time, some researchers published proof-of-concept exploits of the vulnerability, which is another reason why the U.S. Cyber Command issued a warning to apply the F5 patches immediately or use a mitigation strategy until the fix could be applied.
Over the last month, researchers and government agencies have warned of other significant vulnerabilities found in other popular products.
For example, on June 30, the U.S. Cyber Command and others warned users of Palo Alto Networks PAN-OS software to patch a critical flaw that, if exploited, could enable hackers to remotely bypass authentication controls and gain full access to systems or networks (see: US Cyber Command Alert: Patch Palo Alto Networks Products).
On July 14, Microsoft issued a warning to customers to patch a "wormable" vulnerability affecting the Windows Server operating system. If exploited, this flaw could allow attackers to exploit an organization's entire infrastructure by crafting malicious DNS inquires (see: Microsoft: Patching 'Wormable' Windows Server Flaw Is Urgent).
The disclosure of this vulnerability in Windows Server promoted the U.S. Cybersecurity and Infrastructure Security Agency to issue a directive on Thursday requiring federal agencies to patch their systems.