[New Blog] Credential Harvesting Made Easy

EXPLOITING BIG-IP: Deconstructing this Simple but Effective RCE

Ian Lee

If you’re in enterprise security, chances are you’re familiar with F5 BIG-IP and CVE-2020-5902. Used by 45% of Randori customers and thousands of organizations, it’s a very common network appliance family and is famous for having ruined the July 4th plans of many security engineers and network administrators. 

In light of the overwhelming response to this vulnerability, Randori has partnered with Immersive Labs and Randy Franklin Smith, of Ultimate Windows Security, to host a webinar breaking down CVE-2020-5902 and why vulnerabilities like this are becoming more, not less common. 

On July 30th, Randori Director of Offense, Evan Anderson (@Syndrowm), and Immersive Labs Director of Cyber Threat Research, Kevin Breen (@KevTheHermit), will break down the exploit in detail, demonstrate a POC, offer tips on how you can confirm remediation and talk through how organizations can take steps now to proactively protect themselves against similar network appliance vulnerabilities in the future. You can register here: https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=2610&source=Rsp2  

CVE-2020-5902 enables an adversary with access to the management console (TMUI) to remotely execute arbitrary system commands. Trivial to exploit, if compromised it will provide an adversary with complete system control over the targeted host. While it is commonplace to find BIG-IP systems exposed to the internet, there is no common use-case for having the management interface accessible to the internet. 

Built to identify an organization’s most tempting targets at scale, customers have long relied on Randori Recon to identify unintentionally exposed systems. Following the disclosure of this vulnerability, our team quickly developed a detector to identify exposed BIG-IP management UIs and updated our target temptation score for the service. Within hours, any customer with a detected interface received an automated “Top Target Detected” email directing them to review the findings and take immediate action. F5 BIG-IP TMUI detection is now just one of hundreds of service detectors standard as part of Randori’s Recon Attack Surface Management solution.  

If you are a current Randori Recon customer, you can simply login at any time to see if BIG-IP or BIG-IP TMUI has been detected on your perimeter. If you’re not a Randori Recon customer, but are worried you may have a BIG-IP TUMI exposed, don’t worry – we’ve got you covered. Simply request a Free Recon Report  and a Randori team member will walk you through our findings.