All You Need to Know About the F5 CVE-2020-5902 (BIG-IP TMUI RCE Vulnerability) Consequences, and the Fix


On June 30, F5 issued an advisory on a Remote Code Execution (RCE) vulnerability – CVE-2020-5902 – that affects several BIG-IP versions.

According to F5,

“This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration utility (another term for the Traffic Management User Interface) through the BIG-IP management port and/or self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise.”

A short time from when the vulnerability came to light, there have been reports of attackers actively exploiting it in the wild. Security analysts confirmed that around 8500 BIG-IP devices whose management port has been exposed are online.

Table showing affected BIG-IP devices and versions (source: F5 devcentral)

Given that several large enterprises use BIG-IP application services for application delivery and security management, this vulnerability may pan out to be the most impactful one in decades. This is because the threat doesn’t just stop with the device – attackers can access any application sitting behind an LTM or GTM and steal its data and passwords. They also gain access to the internal network, and can harm sensitive files and alter the overall system characteristics.

What F5 did

F5 was quick to respond. With characteristic alacrity, F5 released a series of patches and workarounds to help mitigate the vulnerability. It gave users two options-

  1. Apply a patch or upgrade to a later version (recommended by F5)
  2. Temporarily mitigate the vulnerability by deploying the workaround provided by F5

However, attackers managed to bypass the workaround issued by F5, leading to further exploits. Now, F5 strongly recommends upgrading to the patched BIG-IP versions to ensure there’s no chance of a relapse.

The pitfall

The upgrade is highly time-sensitive, as the longer the devices are left unpatched, the greater is their exposure to attacks. However, upgrading to newer versions is a chiefly manual process. Tracking and inventorying applications that may be distributed across data centers, taking backups of configuration files, and ensuring security and compliance during migration might pose a challenge, and also be risky and error-prone, when done manually.

How AppViewX helps overcome the above pitfall

As one of the popular programming languages’ motto goes,
‘There is more than one way to do it’
~PERL

Different people approach upgrades differently, and it’s usually not possible to cover them all with a single approach as they are often tuned for an environment and not technology.

That said, AppViewX Service Orchestration and Automation Solution provides you the flexibility of defining those nitty gritties, down to the fine print.

AppViewX facilitates upgrading of your existing configurations by simplifying application discovery across environments, automating backups, compliance checks (pre- and post-validation), and change management through built-in integrations with ITSM solutions. AppViewX has inbuilt self-serviceable upgrade templates, which simplifies the upgrade or patch implementation process. AppViewX supports all BIG-IP versions, so you can make sure the upgrade is quick, error-free, and seamless.

A simple example; the pre and post checks.
Different engineers will want to have different commands keyed in and validated before and after an upgrade/downgrade. AppViewX enables the executor to push the desired pre and post checks ad-hoc and makes it completely customizable.

Related Articles:   6 Common F5 BIG-IP Change Requests You Can Automate

Prerequisites / HouseKeeping:

  • All F5s in scope to be in ‘Managed’ state in AppViewX.
  • F5 recommendation of resource provisioning for MGMT as ‘LARGE’ to be completed.
  • F5 recommendation of using a new HD partition for v15 to be followed.
  • The user will have to fill out a form with basic details like Device Type (Standalone or HA Pair), F5 Device name, Installation file name, Installation volume name.
  • Based on the device type chosen, the upgrade process will run.

Standalone Devices:

  • The device will be initially in Active Mode.
  • The installation files will be transferred from the AppViewX server to the F5 device in the volume chosen in the form.
  • Installation process will be started and status at each point will be checked.
  • The device configuration will be fetched.
  • Device configuration backup will be done.
  • The device will be forced to go offline.
  • The configuration will be copied to the new volume.
  • The device will be rebooted and will be released from offline mode.
  • VIP status will be fetched and the device will be checked for active connections.
  • The upgrade process is complete and the device will be ready to use.

HA Pair Devices:

  • There will be two devices available – one in standby and the other in active.
  • The installation files will be transferred from the AppViewX server to both the F5 devices in the volume chosen in the form.
  • Installation process will be initiated on the standby device.
  • Then Active base image installation will be done in the Standby device.
  • The standby device configuration will be fetched.
  • Device configuration backup of standby device will be done.
  • The standby device will be forced to go offline.
  • The configuration will be copied to the new volume.
  • The standby device will be rebooted and will be released from offline mode.
  • VIP status will be fetched and the standby device will be checked for active connections.
  • Next, the active device configuration will be fetched.
  • Device configuration backup of the active device will be done.
  • The active device will be forced to go offline.
  • The configuration will be copied to the new volume.
  • The active device will be rebooted and will be released from offline mode.
  • VIP status will be fetched and the standby device will be checked for active connections.
  • F5 HA Pair synchronization will be done to keep both the devices in sync.
  • The upgrade process is complete and both devices will be ready to use.

Conclusion

AppViewX’s Service Orchestration and Automation Solution is an extremely powerful and flexible platform for streamlining any vendor image upgrade/downgrade, quickly and with ease. Sign-up for a live demo of the product to see it in action.

For more details on the upgrade process, please read through the Solution Guide attached.

Download Guide

About the Author

Balanavin G

Balanavin G

Software Engineer I

Analytical Python developer building intuitive solutions to automate complex network infrastructures.

Want more great content?

Subscribe to our blog to get tech tips, industry news, and thought leadership articles right in your inbox!