F5 has issued patches for its BIG-IP application delivery controllers after a security researcher discovered two critical vulnerabilities in its software.
The vulnerabilities, tracked as CVE-2020-5902 (opens in new tab) and CVE-2020-5903 (opens in new tab), reside in a configuration tool known as the Traffic Management User Interface and exploiting them could allow an attacker to gain full admin control over a vulnerable device.
- F5 Networks acquires Nginx for $670m
- What is network security in the cloud computing era?
- These are the best cloud computing services available now
What makes these flaws particularly concerning is due to the fact that many large enterprises use BIG-IP gear to handle sending traffic to and from their critical applications. An attack that successfully exploited these vulnerabilities could potentially be disastrous for the many of the Fortune 500 companies that are customers of F5.
BIG-IP application delivery controller
The flaws themselves were first discovered by senior web application security researcher Mikhail Klyuchnikov at Positive Technologies who provided further insight on them in a blog post (opens in new tab), saying:
“By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution. The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network. RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation. This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan. Fortunately, most companies using the product do not enable access to the interface from the internet."
Network admins are advised to update their firmware as soon as possible to avoid falling victim to any potential attacks leveraging the two vulnerabilities.
The flaws are present in BIG-IP versions 11 through 15 and those using the company's networking equipment can find more details on how to patch them in this security bulletin (opens in new tab) as well as this one (opens in new tab) from F5 Networks.
- We've also highlighted the best antivirus software
Via The Register (opens in new tab)