Serious leak in F5’s BIG-IP equipment enables remote code execution

Researchers have found a major vulnerability in F5’s BIG-IP networking equipment. Proofs-of-concept have now also been released with which, among other things, an authentication-less remote code execution can be performed. Active seizures have been observed.

The vulnerabilities were discovered last week in BIG-IP equipment from manufacturer F5. It makes network devices with which, for example, firewalls can be set up or gateways set up on networks. Last week, a serious vulnerability was revealed in the Traffic Management User Interface of the company’s Application Delivery Controller. The vulnerability, known as CVE-2020-5902, allows attackers to perform remote code execution as an unauthorized user. Several security researchers say they have already made or are working on a proof-of-concept. This would make it easy for attackers to exploit the leak themselves.

BIG-IP networks are interesting for criminals. F5’s hardware is used by large, influential companies. F5 itself says that the equipment is used in 48 of the 50 largest companies in America. In addition, the leak is also interesting. That gets a CVSSv3 score of 10/10, meaning it’s easy to exploit, can be automated and run remotely.

In the meantime say researchers who have set up honeypots, that the vulnerability is being actively attacked. There are currently no known cases of companies that have been actively attacked. That doesn’t necessarily mean it didn’t; in other major network attacks on corporate equipment, such as the Citrix leak, criminals took a long time to strike. For example, backdoors are said to have been placed in companies that have implemented the Citrix patch.