Threat actors are attempting to exploit recently fixed F5 BIG-IP flaw

Attackers are already attempting to exploit the recently fixed bug in F5 Networks BIG-IP product, security experts warn.

A few days after the disclosure of the vulnerability in the F5 Networks BIG-IP product. F5 Networks has recently addressed a critical remote code execution (RCE) vulnerability, tracked as CVE-2020-5902, that resides in undisclosed pages of Traffic Management User Interface (TMUI) of the BIG-IP product.

The BIG-IP product is an application delivery controller (ADC), it is used by government agencies and major business, including banks, services providers and IT giants like Facebook, Microsoft and Oracle.

F5 Networks says the BIG-IP devices are used on the networks of 48 companies included in the Fortune 50 list.

The vulnerability could be exploited by attackers to gain access to the TMUI component to execute arbitrary system commands, disable services, execute arbitrary Java code, and create or delete files, and potentially take over the BIG-IP device

The CVE-2020-5902 vulnerability received a CVSS score of 10, this means that is quite easy to exploit. The issue could be exploited by sending a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

US Cyber Command is urging organizations using the F5 product to immediately patch their installs.

URGENT: Patching CVE-2020-5902 and 5903 should not be postponed over the weekend. Remediate immediately.— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) July 3, 2020Unfortunately, the forecast was right, hackers have started targeting F5 BIG-IP equipment exposed online.

Researchers Rich Warren from NCC Group told ZDNet that hackers are attempting to exploit the flaw to steal administrator passwords from the hacked devices.

Ok, we are seeing active exploitation of CVE-2020-5902Patch it today— Rich Warren (@buffaloverflow) July 4, 2020
First exploits coming from— Rich Warren (@buffaloverflow) July 4, 2020The attacks began immediately after the US Cyber Command’s alert. The attacks against Warren’s honeypots originated from five different IP addresses.

Experts believe that nation-state actors will likely start exploiting the flaw very soon. To have an idea of the potential impact of the issue, let’s consider thousand of vulnerable devices are exposed online. Researchers from Bad Packers have located 1,832 vulnerable F5 hosts online.

Our preliminary CVE-2020-5902 scans have located 1,832 vulnerable F5 hosts.System administrators need to upgrade to fixed versions ASAP. A proof-of-concept exploit is now publicly available.— Bad Packets (@bad_packets) July 5, 2020

The post Threat actors are attempting to exploit recently fixed F5 BIG-IP flaw appeared first on Security Affairs.