CVE-2020-5902

Name of the Vulnerable Software and Affected Versions F5 BIG-IP versions 11.6.1 through 11.6.5.1 F5 BIG-IP versions 12.1.0 through 12.1.5.1 F5 BIG-IP versions 13.1.0 through 13.1.3.3 F5 BIG-IP versions 14.1.0 through 14.1.2.5 F5 BIG-IP versions 15.0.0 through 15.1.0.3

Description The Traffic Management User Interface (TMUI), also known as the Configuration utility, in F5 BIG-IP contains a Remote Code Execution (RCE) issue present in undisclosed pages. This allows a remote attacker to execute arbitrary code on the system. Reports indicate mass exploitation of this issue is occurring. The vulnerability is related to errors in code generation management within the TMUI. The vulnerability affects BIG-IP Access Policy Manager, BIG-IP Advanced Firewall Manager, BIG-IP Application Acceleration Manager, BIG-IP Application Security Manager, BIG-IP DDos Hybrid Defender, BIG-IP DNS, BIG-IP Fraud Protection Service, BIG-IP Link Controller, BIG-IP Local Traffic Manager, BIG-IP Policy Enforcement Manager, and SSL Orchestrator. Proof-of-concept exploits have been published and are available online, demonstrating the ability to read system files such as /etc/passwd, /etc/hosts, /config/bigip.license, /config/bigip.conf, and to execute TMsh commands like list auth user admin via crafted requests to API endpoints like /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp and /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp.

Recommendations For BIG-IP versions 11.6.1 through 11.6.5.1, apply a fix or upgrade to a newer version. For BIG-IP versions 12.1.0 through 12.1.5.1, apply a fix or upgrade to a newer version. For BIG-IP versions 13.1.0 through 13.1.3.3, apply a fix or upgrade to a newer version. For BIG-IP versions 14.1.0 through 14.1.2.5, apply a fix or upgrade to a newer version. For BIG-IP versions 15.0.0 through 15.1.0.3, apply a fix or upgrade to a newer version.