How to Detect CVE-2020-5902?

CVE-2020-5902 is a critical remote code vulnerability that exists in F5 Networks’ Big-IP administrative interface. Big-IP are multi-purpose products that are widely used all over the world by Fortune 50 companies.

Detection

Currently out of top three scanners Nessus, Qualys and Nexpose, only Qualys and Nessus has plugins to detect this vulnerability.

Securin’s team of experts has released a script that would detect this vulnerability in your device. This script can be accessed here.

Disclosure

While the vulnerability was disclosed on July 1, 2020, active exploitation was observed by July 3, 2020, indicating that threat actors are moving fast.

According to Shodan, an overall 6295 devices could be affected by this vulnerability with over 2515 devices in the US, 979 in china, 171 in Taiwan, 161 in Indonesia, 146 in Thailand and 104 from India.

CVE-2020-5902 has got a rank of 10/10 in the CVSSv3 vulnerability severity scale which calls for immediate remediation as threat actors would lose no time in exploiting this weakness.

Incident Analysis

This vulnerability was discovered by Mikhail Klyuchnikov, a Positive Technologies researcher.

Right after it was discovered, F5 released patches and mitigations that have since been bypassed.

Many security researchers set up honeypots to check for exploitation and when a few exploits became public, threat actors moved in. Reconnaissance attempts to deliver backdoors, DDoS bots, coin miners, web shells, etc. were made. Some even attempted to scrape admin credentials from vulnerable devices.

Vulnerability Analysis

CVE-2020-5902 vulnerability helps in unauthenticated network-based attacks when SAML (Security Assertion Markup Language) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled. This leads to improper verification of signatures in PAN-OS SAML authentication and the attacker gains access to protected resources. The attacker must however have network access to the server to exploit this vulnerability.

The following versions are affected –

If SAML is not used for authentication, then this vulnerability cannot be exploited. Also, if the ‘Validate Identity Provider Certificate’ option is enabled in the SAML profile, threat actors can’t exploit the vulnerability.

For more recommendations, you can check out F5 BIG-IP Bulletin.

Proof of Concept

Proof of concept scripts for the exploit has already been posted in Github.

You can check them out here –

https://github.com/Un4gi/CVE-2020-5902

https://github.com/yassineaboukir/CVE-2020-5902

Mitigation

On July 7, 2020, it was found that the mitigations for this exploit could be bypassed and an updated mitigation was posted by F5.

<LocationMatch “;”>

Redirect 404 /

</LocationMatch>

For more information, you can check out F5 support page or view their help video for mitigation.

Impact

The successful exploitation of this vulnerability enables the threat actor to –

  • Compromise of entire device
  • Credential theft
  • Perform traffic interception and modification
  • Lateral movement to internal network

And as expected, active exploitation of this vulnerability has already begun.

It has been found that Mirai, an Internet of things (IoT) botnet downloader can be added to new malware variants to scan for affected Big-IP boxes and be used to intrude and deliver malicious payload.

 

Recommendation

With over 8000 devices compromised and mitigations bypassed, the importance of applying Patch can’t be emphasized more. Installing the latest releases of BIG-IP version is important. For more information visit https://support.f5.com/csp/article/K52145254.

Share This Post On