Finding the F5 Systems Vulnerable to CVE-2020-5902 using Shodan On July 4, 2020 (US Independence Day), F5 released a safety patch for his or her massive-IP structures that lets in the attacker to take manipulate of the affected structures.

This vulnerability is rated Finding the F5 Systems Vulnerable to CVE-2020-5902 using Shodan:

a 10/10 in severity and assigned CVE-2020-5902. This vulnerability is so severe that an attacker with even rudimentary abilities can;

to execute arbitrary gadget commands, create or delete documents, disable offerings, and/or execute arbitrary Java code. This vulnerability may additionally result in whole machine compromise. The massive-IP machine in equipment mode is also inclined.

presently, there are thousands of those unpatched structures round the world. let’s see if we can discover a few using Shodan.

Step #1: go to Shodan.io and Login

Login to shodan.io.

Step #2: search for susceptible structures

subsequent, enter the subsequent seek within the Shodan search window;

http.name:big-IP&re:-Redirect

As you may see above, there are presently 8400 structures around the sector vulnerable to CVE-2020-5902. Over 3300 are in the US and 1300 in China.

precis

This vulnerability is good sized and noticeably excessive, permitting the attacker to take manipulate of the system with at the least capabilities. As attackers are already beginning to compromise these structures in the wild, it’s miles vital that if this kind of 8400 systems is yours which you patch it immediately!

replace July 10, 2020: F5 up to date their mitigation phase of safety advisory on July 8, 2020 at 17:00 Pacific time, and furnished a new mitigation mechanism to assist clients mitigate currently recognised unauthenticated exploits.
Qualys also up to date QID 38791 to reflect those modifications and are available in VULNSIGS version 2.four.935-three and above Finding the F5 Systems Vulnerable to CVE-2020-5902 using Shodan.

update July eight, 2020: F5 up to date the safety advisory once more on July eight,

2020, at 09:30 PT, announcing that “all previously furnished mitigations aren’t completely powerful” and recommends “installing patched variations of the software program to cope with the underlying vulnerability.” clients are strongly advised to install the patched version as quickly as possible.

F5 Networks lately released updates for the crucial RCE vulnerability (CVE-2020-5902) that impacts its massive-IP merchandise. The vulnerability that has been actively exploited within the wild permits attackers to study documents, execute code or take whole control over prone structures having community access. the safety problem has acquired a crucial severity score rating of 9.eight based totally on CVSS v3.1 Scoring gadget Finding the F5 Systems Vulnerable to CVE-2020-5902 using Shodan.

Vulnerability details:
Mikhail Klyuchnikov, the security researcher from advantageous technology who located the vulnerability, says, “with the aid of exploiting this vulnerability, a faraway attacker with get admission to to the big-IP configuration software could, with out authorization, carry out remote code execution (RCE1). The attacker can create or delete documents, disable offerings, intercept statistics, run arbitrary gadget instructions and Java code, completely compromise the system, and pursue in addition targets, including the inner network Finding the F5 Systems Vulnerable to CVE-2020-5902 using Shodan.

RCE in this situation outcomes from safety flaws in a couple of additives, including one that lets in directory traversal exploitation. that is in particular risky for corporations whose F5 big-IP web interface is indexed on engines like google inclusive of Shodan. fortunately, maximum businesses the use of the product do now not permit get admission to to the interface from the internet Finding the F5 Systems Vulnerable to CVE-2020-5902 using Shodan.”

This vulnerability is located inside the wild to be actively exploited and causing credentials to be stolen.

US-Cyber Command tweeted to immediately patch your machine Finding the F5 Systems Vulnerable to CVE-2020-5902 using Shodan:

Exploitation:
On Shodan, we observed extra than 1000 publicly-to be had devices on the net that may be susceptible.

image supply: Shodan

Metasploit has launched a public make the most module for CVE-2020-5902. Demonstration of the Metasploit percent is available on GitHub.

photo supply: Qualys Lab Finding the F5 Systems Vulnerable to CVE-2020-5902 using Shodan

Affected products:
huge-IP versions 11.6.x, 12.1.x, 13.1.x, 15.0.x and 15.1.x

using VMDR, pick out the Presence of CVE-2020-5902 and management Interface on F5 huge-IP Remotely
Qualys has issued the statistics collected (IG) QID 42400 to help clients song gadgets wherein the management Interface is obtainable on F5 huge-IP. This QID can be detected via a far flung unauthenticated test.

QID 42400: control Interface available On F5 large-IP

To become aware of the presence of CVE-2020-5902 remotely, Qualys has issued QID 38791:

QID 38791: F5 massive-IP ASM,LTM,APM TMUI far flung Code Execution Vulnerability (K52145254) (unauthenticated check Finding the F5 Systems Vulnerable to CVE-2020-5902 using Shodan)

along side the far off QID 38791, Qualys additionally launched authenticated vulnerability QIDs (373106, 373107) which cowl more than one CVEs (CVE-2020-5902, CVE-2020-5903). those QIDs are included in signature model VULNSIGS-2.four.930-5 and above.

Please word: As F5 updated their advisory on July eight, with up to date mitigation steps, Qualys QID 38791 is also updated to mirror the ones modifications and is to be had in VULNSIGS-2.four.935-three and above

the use of VMDR, QID 38791 can be prioritized for the subsequent RTIs:

remote Code Execution
Unauthenticated Exploitation
Public take advantage of
energetic attacks
smooth make the most Finding the F5 Systems Vulnerable to CVE-2020-5902 using Shodan
high statistics Loss

With VMDR Dashboard, you can song F5 huge-IP vulnerabilities, impacted hosts, their repute and average control in actual-time. With trending enabled for dashboard widgets, you can keep tune of CVE-2020-5902 vulnerability trends for your surroundings the usage of F5 massive-IP Dashboard:

Qualys threat safety
Qualys customers can live on pinnacle of these threats proactively through the stay Feed furnished for chance prioritization. With stay Feed up to date for all rising excessive and medium risks, you can virtually see the impacted hosts towards threats Finding the F5 Systems Vulnerable to CVE-2020-5902 using Shodan.

certainly click at the impacted assets wide variety to see a listing of hosts with this vulnerability.

Configuration control adds context to general vulnerability management
To universal reduce the security chance, it’s far vital to attend to F5 massive-IP misconfigurations as well. Qualys VMDR shows your F5 massive-IP misconfiguration posture in context together with your vulnerability posture, allowing you to see which hosts have CVE-2020-5902 vulnerability.

With Qualys coverage Compliance module of VMDR, you can check for misconfigurations in context to CVE-2020-5902 vulnerability Finding the F5 Systems Vulnerable to CVE-2020-5902 using Shodan.

Qualys configuration identity – 18836 “status of ‘LocationMatch’ derivative blanketed for httpd issue using sys module’ report” could be evaluated towards all interfaces to test for unauthenticated attackers within the end result segment as shown underneath  –Finding the F5 Systems Vulnerable to CVE-2020-5902 using Shodan

Qualys configuration identity – 18835 “list of permit-carrier configured for all Self IP Addresses” could be evaluated against all self IPs that addresses unauthenticated and authenticated attackers on self-IPs, by way of blocking off all get right of entry to, as proven within the end result phase below –

Qualys configuration id – 13903 “popularity of contemporary list of allowed IP addresses for httpd daemon” would be evaluated in opposition to all management interface that addresses unauthenticated attackers on control interface, through proscribing access, as proven inside the end result segment under  Finding the F5 Systems Vulnerable to CVE-2020-5902 using Shodan–

 

danger-based Prioritization of F5 huge-IP Vulnerability
Now that you have identified the hosts, F5 massive-IP variations and context of detected vulnerabilities and misconfigurations, you may need to prioritize your remediation based totally at the hazard, as every inclined asset won’t pose the identical chance Finding the F5 Systems Vulnerable to CVE-2020-5902 using Shodan.

excessive hazard:
Hosts for which QIDs 38791, 373106 or 373107 are detected fo

Sources