Critical f5 Vulnerability That Could Potentially Allow Hackers to Exploit Corporate Networks

Cyber Attacks
Written By Nauman
1- f5 RCE Vulnerability Hack.png

Never heard of f5s before or don’t know what these devices do? To understand the severity of this recently discovered vulnerability, obviously you have to first understand what f5s are. Fear not, I will be less technical and try to explain below in layman’s terms. You have to have some Computer/IT knowledge to understand the full article though.

WHAT IS F5 AND WHAT IT CAN DO?

f5 devices are an integral part of the IT/Network infrastructure for most of the medium to large organizations. Companies use them for different purposes, some of them are listed below:

  1. Load-balance the traffic. Think of a company which has 50 application servers and wants to distribute traffic evenly across all those 50 servers. They can put those servers behind f5, to help achieve this.

  2. Encrypt/Decrypt the traffic. This process can be very resource intensive. You want your servers running applications such as e-commerce, email etc. to focus on running the application by letting f5s handle this encryption/decryption process.

  3. Protect your website. Your website is accessible over the internet and you want to protect it against evolving threats such as credential stuffing, DDoS, SQL injections etc. Put it behind f5 and it will take care of the threats.

  4. Protect your network traffic. You want to allow only certain traffic to your corporate network. Put it behind f5, create Firewall rules and f5 will take care of this.

  5. You want to authenticate, authorize users and then do further security checks on them. Deploy f5, build f5 policies and you will be able to run all kinds of checks on users, before allowing them to your corporate Network.

  6. Intelligent Name Resolutions. Companies use f5s for intelligent name resolutions to IPs and route traffic accordingly to their different Data Centres.

These are just a few things that you can do with f5s, there is much more. But this should give you some idea that why f5s are such a critical part of any organization’s infrastructure.

WHAT IS THE VULNERABILITY?

The vulnerability (fixed in late June, 2020), which is officially called CVE2020-5902, allows an attacker to run commands, read, delete files, execute code, disable services etc. on the f5 device. The only condition that has to be met to exploit this vulnerability, is for an attacker to be able to access the Graphical User Interface (GUI) of the f5 device. Obviously, you have to have some little technical background to be able to exploit the vulnerability.

WHY THIS F5 VULNERABILITY IS SO CRITICAL?

We have already established above, what f5 is capable of doing. Now imagine an attacker who is able to:

  • Reach f5 device on which corporates rely heavily for providing critical services

  • Then able to read or delete sensitive files; run malicious code, disable critical services, without having to authenticate

Such malicious act could cause:

  1. Disruption of critical services, by rendering the very devices on which these services rely, useless

  2. Loss of critical configuration data on the f5s

  3. Loss of sensitive information, such as private keys used to encrypt data, email addresses, IP addresses, Credit Card numbers etc.

  4. Routing of traffic to malicious servers

2- f5 RCE Vulnerability Hack CVE2020-5902.jpg

The vulnerability was so critical that it was assigned 10/10 and 9.8 rating on CVSS V2.0 and V3.1 respectively and US Cyber Command and Canadian Centre for Cyber Security advised to patch/mitigate immediately. One of the reasons for such a high rating was that you don’t need privileged access to exploit it.

HOW TO EXPLOIT THIS F5 VULNERABILITY

3- f5 RCE Vulnerability Hack CVE2020-5902- f5 GUI.jpg

This is the screenshot of f5 GUI. Administrators, Security Professionals, Network Engineers login to this utility to configure f5 device, to protect corporate networks.

This GUI has an address/URL (https://<address>:<port>/tmui/login.jsp) just like a website address, which is accessible in some cases from the internet and in most cases from within the corporate networks.

In an ideal scenario, you will only be able to run commands and have access to the files after logging into the device, with a privileged access level. But due to this vulnerability, all you have to do is just craft a URL that includes the f5 GUI address, enter it or script it and start exploiting the vulnerability.

DEMONSTRATION OF THE EXPLOITATION USING A SIMPLE GUI METHOD

Below I will show you how to exploit this vulnerability, which will give you some idea of the severity of it. For sake of simplicity, I am going to use a publicly accessible f5 device, running a vulnerable software version and a simple browser.

STEP 1:

4- f5 RCE Vulnerability Hack CVE2020-5902- Demonstration .jpg

Enter the f5 GUI address in the browser

STEP2:

Example 1:

Let’s try to pull some information. Modify the URL as follows and hit Enter:

https://<f5 gui address:port>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/krb5.conf

4b- f5 RCE Vulnerability Hack CVE2020-5902- Demonstration .jpg

In the above example you can see I was able to pull information from a file, located on the f5 device, which may contain sensitive Kerberos authentication information.

Example 2:

Let’s see if I can pull some directory listings.

4c- f5 RCE Vulnerability Hack CVE2020-5902- Demonstration Directory Listings.jpg

Directory Listings on the f5 Device

https://<f5 gui address:port>/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/usr/local/www/

Here you can clearly see I was able to see the contents of the www directory.

Example 3:

I was curious to see if I could run some commands on the f5 box. One of them that I was able to run was the following:

https://<f5 gui address:port>/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+asm+policy

Unfortunately, for security reasons I cannot share the output. With this command I was able to list all the f5 policies that were being used to protect different websites.

Example 4:

In this example you will see that I was able create a file called test.3 on the f5 device and write to it without authenticating by using the crafted URL as shown in the URL field.

4d- f5 RCE Vulnerability Hack CVE2020-5902- Demonstration create and write to the file.jpg

The above 4 examples were for demonstration only and are just tip of the iceberg. You can do much more by exploiting this vulnerability.

NOTE 1: In all of the above examples, I was able to access all this information without even logging in.

NOTE 2: Depending on what version you are running, you are going to be exposed to different exploits. In other words, exploit on one version might not necessarily work on the other. For example, you can expose license file in one version but not in the other version.

SO HOW DO I FIX THIS VULNERABILITY?

f5 was quick to address the vulnerability. The KB article has all the technical details on how to mitigate or apply a patch to fix the problem. f5 has been updating the article regularly to address the vulnerability as the threat was evolving.

MITIGATION:

Mitigation is a quick fix. If you are worried about disrupting critical services and not have enough time to fully test the new patch, mitigation is the way to go and should be done asap.

It is a pretty simple fix and all it does is redirect a potential attacker to Page Not Found page, which is achieved by modifying the Apache web server file on which the GUI is hosted. Interface lockdowns are another option.

NOTE: Applying mitigation will not have any impact on the critical traffic, so you can apply the mitigation anytime in the production environment.

FIX:

Apply the patch, which has the fix, and this will take care of both authenticated and unauthenticated users. This will however disrupt the service and will require a longer window followed by a thorough testing.

CAN I FIND OUT IF MY F5 HAS BEEN COMPROMISED?

  • Yes, look in the log entries as suggested in the KB article. It will tell you if there was an attack and where it originated from etc. It won’t tell you, what was compromised.

  • I noticed over 15k login attempts on one of my honeypot devices. So, this is something else you want to keep an eye on.

  • Also, on the same honeypot device, I discovered some files, which the attacker had planted. If you see files that shouldn’t be there, delete them.

  • At the time of the attack, tcpdump captures will also reveal useful information.

  • If the attacker was good, it would be hard to find out exactly what was compromised.

OUR CORPORATE F5 DEVICES ARE NOT EXPOSED TO THE INTERNET, SHOULD I STILL BE CONCERNED?

Short answer is Yes. Reasons are:

  1. If you are a big corporate you will still have many employees/contract-workers who can reach the devices through the VPN and are able to do stuff on f5s, which they can't without this vulnerability.

  2. You will also have people accessing f5 with limited privileges such as with auditor, Guest, Operator level roles, yet with this vulnerability they are able to do much more.

  3. Even if you are perfectly safe, knowing that you can mitigate the vulnerability by applying a 2-minute no-traffic-impact fix, leave you with no reason not to mitigate.

Thank You!

Nauman
Previous

Interesting Tech News from July, 2020
Next

Interesting Tech News from June, 2020