This article is more than 1 year old
Make sure you've patched your F5 BIG-IP gear. Exploit code for scary bug is so trivial, it fits in a tweet
Plus: What? No. No way. People would just do that? Go on Tor and use it to commit crimes?
In Brief Exploit code for a nasty vulnerability in F5 Networks' BIG-IP application delivery controllers is now doing the rounds, so make sure you're all patched up.
Miscreants are scanning the internet for machines to attack, judging from reports by infosec bods running honeypots. Any vulnerable kit facing the 'net is likely to be probed at some point this week, if not already, to see if it can be hijacked.
The flaw in question, CVE-2020-5902, lies within the controllers' Traffic Management User Interface. Successful exploitation results in full remote admin control over the device with no authentication required.
Now exploit code is being merged into the Metasploit framework for anyone to use, and proof-of-concept code to extract files or execute arbitrary commands, which neatly fits into a tweet, is being shared all over the web...
F5 Big-IP CVE-2020-5902 LFI and RCE
— Jin Wook Kim (@wugeej) July 6, 2020
LFI
https://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
or /etc/hosts
or /config/bigip.license
RCE
https://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=whoamihttps://t.co/3Ete09oVP6 pic.twitter.com/zBAfdIZBa2
Folks are urged to patch their installations as soon as possible. Thousands of potentially vulnerable deployments are said to be facing the internet.
"The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) Vulnerability in undisclosed pages," a spokesperson for F5 told The Reg.
"This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This issue is not exposed on the data plane; only the control plane is affected.
"F5 recommends upgrading to a fixed software version to fully mitigate this vulnerability."
Uncle Sam sounds the alarm on Tor
The US government's Cybersecurity Security and Infrastructure Security Agency has shared some insights into the Tor network, warning – for those who have been living under a rock – "cyber threat actors can use Tor software and network infrastructure for anonymity and obfuscation purposes to clandestinely conduct malicious cyber operations."
Possible remediation ranges from issuing an outright block on both incoming and outgoing traffic from the IP address of all known Tor nodes, to simply collecting and keeping on hand a list of nodes so that they can be blocked as needed.
DDoS attacks soaring amid lockdown
A report from distributed denial-of-service (DDoS) defense company NexusGuard reckons that over the past quarter DDoS attacks have risen 542 per cent. The reason given for the surge is pretty simple: with everyone under lockdown, miscreants have nothing else to do.
The data, based on NexusGuard's own work with its customers, also shows network flooding are growing smaller in scope: attackers are sending lower volumes of traffic through each botnet machine in order to prevent ISPs from spotting their actions.
VPN SDK bug detailed
Bug hunter 0xSha has unearthed an annoying hole in a software development kit (SDK) used by BitDefender and other security suites to provide VPN functionality.
Dubbed ZombieVPN, the vuln appears to be a privilege-escalation flaw in that malicious code running on a Windows PC with the AnchorFree SDK installed can exploit the bug to gain SYSTEM-level control. The vulnerability has been patched in the SDK, and is designated CVE-2020-12828. Check your antivirus suite for updates if it uses AnchorFree.
Zoom wraps up 90-day plan
Zoom CEO Eric Yuan said his video-conferencing wunderkind has officially concluded its 90-day security overhaul program in which it brought in a number of outside orgs and consultants to shore up its defenses after a number of privacy and security slip-ups.
Looking ahead, the CEO said Zoom will carry out regular audits and continue its enhanced bug bounty program, among other measures. ®