CVE-2020-5902
The threat
In certain F5 BIG-IP versions, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
Affected versions
The following versions of F5 BIG-IP are affected:
- 15.0.0-15.1.0.3
- 14.1.0-14.1.2.5
- 13.1.0-13.1.3.3
- 12.1.0-12.1.5.1
- 11.6.1-11.6.5.1
The impact
This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.
Our recommendations
If you are running a version listed in in their security advisory, F5 recommend that you can eliminate this vulnerability by upgrading to a version listed.
Please note that if you run an affected version but your management UI is not exposed publicly the risk is significantly reduced of this vulnerability being exploitable. Patching ASAP is still recommended to prevent internal exploitation.
If the F5 security advisory lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
If it is not possible to upgrade at this time, F5 have suggested a number of temporary mitigations in their security advisory.
More information