Expanse Researchers Show More Than 8,000 F5 BIG-IP TMUIs Are Still Exposed on the Internet

If you are like 48 of the Fortune 50 companies and multiple government agencies, you likely use some F5 BIG-IP product family. This line includes load balancers, access gateways, and application delivery controllers to name a few. On July 1, F5 disclosed that security researchers at Positive Technologies had identified two new vulnerabilities for certain versions of BIG-IP products in the application delivery controller.

The vulnerability CVE-2020-5902 allows for remote execution of arbitrary system commands on vulnerable BIG-IP devices with an exposed and accessible management port via the Traffic Management User Interface (TMUI). This vulnerability could provide complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serve as a hop point into other areas of the network. An additional exploit, CVE- 2020-5903, affects the same vulnerable management interface via a cross-site scripting vulnerability (XSS) that can be leveraged to achieve remote code execution (RCE).

Between July 9 and July 15, Expanse researchers found at least 8,041 exposed TMUI instances on the public Internet. While it is necessary for BIG-IP load balancers to be exposed, there is no legitimate reason for TMUIs to be accessible. 

CVE-2020-5902 received the highest vulnerability rating of “critical” from the National Vulnerability Database due to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity, and availability. It was deemed so critical that U.S. Cyber Command issued a tweet on the afternoon of July 3 recommending immediate patching despite the holiday weekend. While F5 did not release a Proof of Concept (PoC) for the exploit, numerous PoCs began appearing on July 5.

At Expanse, following the announcement of the new CVEs, our team rapidly mobilized to help our customer base respond to this new security risk. Expanse engineers began working on a fingerprint to identify exposed F5 BIG-IP TMUIs late on the evening of July 2 in response to a customer request and were able to deliver preliminary results within hours. Over the holiday weekend, Expanse expanded this fingerprint across its entire customer base and provided results to all customers on the morning of July 6.

By July 7, the fingerprint had been created as a new issue type within Expander allowing customers to see their exposed F5 BIG-IP TMUIs across their on-prem and cloud IP space. This ensured they had visibility into all of their publicly exposed F5 BIG-IP TMUIs and could then take steps to remove those assets from the Internet and update them with the latest patches (see the F5 advisory on patching here). F5 BIG-IP TMUI detection is now available on an ongoing basis within Expander.

If you are a current customer, please reach out to your Engagement Manager to discuss how we can help you identify and secure any exposed F5 BIG-IP TMUIs. And if you’re not a customer, we’re still here to help! Reach out to set up a demo today.