On Friday, July 24, 2020, the DHS Cybersecurity and Infrastructure Security Agency (CISA) warned that hackers have started exploiting the CVE-2020-5902 vulnerability in F5 Networks BIG-IP devices.
F5 BIG-IP devices are used for load balancing and generally sit between the firewall and a web application. They are used by many Fortune 500 companies, large enterprises, and government agencies and are an attractive target for hackers. Exploitation of the vulnerability will allow an attacker to remotely execute code on the device and attack and take control of internal networks to which the device connects. Unsurprisingly, given the nature of the flaw, it was assigned the maximum CVSS severity score of 10/10.
F5 Networks released a patch to correct the CVE-2020-5902 vulnerability on June 30, 2020 and warned at the time that there was a high probability that hackers would develop exploits for the flaw and would attack unpatched devices.
F5 Networks has updated its security advisory and warned organizations that if they have a BIG-IP system that has TMUI exposed to the internet and the patch has not been applied, there is a high probability that the system has already been compromised. F5 networks has provided indicators of compromise in its security advisory, which can be found here.
CISA has warned that it has observed scanning and reconnaissance as early as July 6, 2020 and confirmed that there were confirmed compromises within a few days of the patch being released.
While it is essential for the software to be updated immediately, organizations should then use F5’s CVE-2020-5902 IoC Detection Tool to determine whether the flaw has already been exploited. Further detection methods and recommendations should a compromise be detected can be found in the CISA alert.