This article is more than 1 year old
F5 emits fixes for critical flaws in BIG-IP gear: Hopefully yours aren't internet-facing while you ready a patch
Not to worry, there are only *searches* several thousand devices apparently exposed online
Network administrators are urged to patch their F5 BIG-IP application delivery controllers following the disclosure of a pair of critical remote takeover bugs.
The flaws in question, CVE-2020-5902 and CVE-2020-5903, lie within in a configuration tool known as the Traffic Management User Interface. Successful exploitation results in full admin control over the device.
"The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network," said Mikhail Klyuchnikov of Positive Technologies who discovered and reported the vulnerabilities to F5.
Hold off that rush into the July 4 weekend – you may need this: Microsoft patches pwn-by-picture pitfalls in Win 10READ MORE
"RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation."
These flaws are particularly bad because the vulnerable BIG-IP gear is generally used by large enterprises to handle traffic to and from critical applications. A successful attack could potentially be disastrous for Fortune 500 companies that make up F5's userbase.
Admins are advised to update their firmware as soon as possible. The flaws are present in BIG-IP versions 11 through 15, and the updated versions, released this week, are 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, and 22.214.171.124. BIG-IQ and Traffix SDC products are not vulnerable.
Fixing the bugs could be a bit of a pain, as the app delivery gear by definition sits in between critical application servers and users on the network, and patching could mean downtime. Those in the US might want to take advantage of the upcoming holiday weekend.
Ideally, the vulnerable traffic management interface is not exposed to the open internet. However, it is estimated more than 10,000 devices running the software could be facing the public web. Positive Technologies reckons that figure is at least 8,000. Gulp. ®