Last July 1st, 2020, F5 published an article about TMUI vulnerability CVE-2020-5902 on their website. It is about a security flaw that can allow a remote attacker to access the Traffic Management User Interface (TMUI) of the BIG-IP application delivery controller (ADC) without proper authentication and perform remote code execution and local file inclusion.
Successful exploitation of this issue can allow attackers to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary code that can lead to attackers gaining full control over the BIG-IP instances.
Searching for BIG-IP ADC instances on Shodan reveals that there are 95 BIG-IP instances in the Philippines. Four (4) of those instances are connected to Philippine government websites.
*.insurance.gov.ph (2 instances)
I've seen a lot of hackers in the Twitterverse reporting this issue to different organization because according to F5,
If your BIG-IP system has TMUI exposed to the Internet and it does not have a patched version of software installed, there is a high probability that it has been compromised and you should follow your internal incident response procedures.
Malicious attackers all over the world will start poking on these instances and there's a huge probability that no one will report this to the National Computer Emergency Response Team (NCERT).
So I took the liberty to validate the vulnerability and confirm if the instances are vulnerable so that I can report it immediately to the NCERT.
I created a proof of concept for CVE-2020-5902 written in python script.
Using the tool, I was able to validate the vulnerability and confirm that the government websites are vulnerable.
Screenshot below is the example output of the tool (LFI):
I quickly reported it via email at [email protected] I also gave screenshots and explanation about the vulnerability.
By the way, you can actually submit an incident to NCERT and they will collaborate with you to address the potential issue as soon as possible. Check the details on this page: https://ncert.gov.ph/submit-an-incident/
Today, July 10th, 2020, I can confirm that the instances are now fixed and they are now returning the "Object not found!" error message.
The NCERT also released a security advisory on their website about CVE-2020-5902. (https://ncert.gov.ph/2020/07/09/f5-big-ip-vulnerability/)
If you are running a vulnerable F5 BIG-IP instance, F5 recommends that you upgrade to a fixed software version to fully mitigate this vulnerability.
To end this blog, I would like to thank the NCERT for collaborating with me to quickly resolve to this issue.