Avoid the Scramble: Reflections on CVE-2020-5902

Meme credit @swat_cyber

In Jiu Jitsu the scramble is a chaotic situation where you must haphazardly struggle to quickly get out of a bad situation or gain an advantage on your opponent. Unless you know you are faster, stronger and better in the position than your opponent it is best to avoid the scramble. Keeping yourself protected in unfamiliar situations involves preparation and discipline. When I find myself in bad positions and need to scramble to keep myself safe I often remember a popular quote from one of the BJJ greats Kurt Ossiander. “You f*cked up a long time ago” (Quote here).

While vulgar and a little brash, it quite eloquently lets you know you need to start proactively addressing the situation much much sooner or risk repeating your mistake. Getting pulled into a chaotic scramble is the symptom of a bigger fundamental problem that you need to address if you want to improve and avoid the scramble in the future.

How does this relate to CVE-2020-5902? If you were one of the many folks this weekend trying to figure out if you had a F5 BIP, if so how many, if the administration interface was exposed to the internet, if you knew where the logs were going and if you had enough visibility to know if it was being actively exploited you got pulled into a scramble and frankly…  You f*cked up a long time ago. If any exploit catches you off guard and requires you to scramble, once the smoke clears, it is time to step back and reassess.

It’s worth noting F*cking up is part of the process. Improvement comes with experience, but only if you heed the lesson. When it comes to things like this, experience is often the best defense. 

What lessons can defenders take from CVE-2020-5902?

• If you didn’t know if or how many F5 BigIPs you had exposed to the internet, you need to focus on getting better visibility into your public attack surface.
• If the administration interfaces are exposed to wide ranges of internal network, you need to work on your internal attack surface
• If you knew the number of affected devices but lacked visibility to determine if they had already been exploited, you need to invest in better logging and monitoring. 
• If you had visibility but didn’t detect malicious activity or were unable to respond effectively, you need to improve the agility of your detection & response efforts.
• Realize adversaries also have budgets, limited compute resources and time.

For some the scramble is unavoidable.

I write this because, like many of you this weekend, I also got pulled into a scramble. For the red team analysis of a CVE like CVE-2020-5902 is different.

• Can we reverse the patch to figure out what the bug is?
• Is it possible to weaponize the bug and make a reliable exploit?
• Can I make the exploit usable before my customers patch?
• Can I provide meaningful commentary or advice without adding to the noise?

I was quick to jump on working toward those objectives with CVE-2020-2021 in PAN-OS (you can read the team’s analysis here). True to my geek nature I got myopically focused on one bug. Then I realized how far behind the public research I was with CVE-2020-5902 I  was in a scramble I couldn’t win.

There is another valuable lesson here. In these N-Day scenarios while defenders are working to patch systems and validate remediations, the adversary is scrambling to validate and weaponize the bug. With the proper preparation, even in the face of unknowns, defenders are still at an advantage and in a scramble they can win.

Hopefully you were able to outright avoid the scramble or were at the very least in a scramble that was easy to win. If not well, you f*cked up a long time ago.

I hope to see you at the next BBQ.