F5 Networks Warns Of Critical Security Flaw In Networking Devices

F5 Networks has warned users of its popular BIG-IP line of networking devices to install patches after researchers uncovered a severe security vulnerability.

The BIG-IP application delivery controllers carry out a range of networking tasks, such as load-balancing, application security management and firewall management.

They are routinely used by large companies and government agencies around the world, with F5 saying BIG-IP is used by 48 of the firms on the Fortune 50 list.

F5 said the flaw, designated CVE-2020-5902, could be used by unauthenticated attackers to execute malicious system commands, create or delete files, disable services and execute malicious Java code.

World Password Day: Is the Password Still Fit For Purpose?

System compromise

“This vulnerability may result in complete system compromise,” the company said.

BIG-IP devices being used in Appliance mode are also vulnerable, F5 said in its advisory.

The issue is a Remote Code Execution (RCE) bug found in BIG-IP’s configuration utility, the Traffic Management User Interface (TMUI).

F5 published a list of affected BIG-IP software versions and urged users to upgrade to versions that have been patched.

For those unable to do so, the company also provided several temporary workarounds.

The vulnerability, discovered by Positive Technologies researcher Mikhail Klyuchnikov, has been given a rare 10 out of 10 CVSS severity rating.

It can be exploited by sending a malicious HTTP request to a server hosting a vulnerable TMUI version.

Klyuchnikov said systems compromised via the bug could be used to attack other parts of an organisation’s network.

Network breach

“(Remote code execution) in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation,” he said in an advisory.

Klyuchnikov noted that most organisations using BIG-IP do not enable access to the TMUI interface from the internet, making exploitation more difficult.

However, he said Positive had found that more than 8,000 vulnerable devices were nevertheless accessible via the internet as of June 2020, with most being in the US, followed by China and Taiwan.

Klyuchnikov also discovered a second vulnerability in the TMUI that could allow malicious JavaScript to be executed, with successful exploitation leading to a full compromise of the device.

He said web application firewalls can block attackers attempting to exploit either of the bugs.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Uber, Lyft Drivers Classified As Employees, Judge Rules

Gig economy change. Judge in California rules drivers for Uber and Lyft are employees, and…

12 hours ago

Tim Cook Now A Billionaire After Apple Share Surge

Welcome to the club. CEO Tim Cook now said to be a billionaire after almost…

14 hours ago

Police Use Of Facial Recognition Breached Privacy, Court Rules

Milestone ruling. The UK Court of Appeal rules use of automatic facial recognition (AFR) tech…

15 hours ago

Trump Administration Announces 5G Spectrum Auction

5G growth. The White House has announced a spectrum auction to strengthen “the United States’…

17 hours ago

Toshiba Confirms Exit From Laptop Sector

Japanese conglomerate sells its final stake in PC maker Dynabook, marking the end of 35…

18 hours ago

Researchers Uncover Stuxnet-Style Flaw In Windows

The zero-day vulnerability affects the same Windows component used by Stuxnet to attack critical infrastructure…

2 days ago