Overview
F5 BIG-IP provides a Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that has multiple vulnerabilities including a remotely exploitable command injection vulnerability that can be used to execute arbitrary commands and subsequently take control of a vulnerable system.
Description
F5 BIG-IP devices provide load-balancing capability to application services such as HTTP and DNS. The F5 BIG-IP TMUI management web interface improperly neutralizes untrusted user input and can be abused by unauthenticated remote attackers to perform malicious activities such as cross-site scripting (XSS), cross-site request forgery (CSRF), and command injection CWE-74. F5 has also announced that BIG-IP devices do not properly enforce access controls to sensitive configuration files that be read and overwritten by an authenticated user via Secure Copy (SCP). The vulnerability identified by CVE-2020-0592 can be abused to achieve arbitrary code execution on the target device with root privileges.
Underlying causes and factors in these vulnerabilities include:
Improper configuration and a lack of identify checks, see recent article from NCC Group. Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
The TMUI fails to enforce proper authentication and authorization, see OWASP Recommendations
The TMUI web interface does not normalize user's input to prevent both XSS and CSRF, allowing a "Deadly Combinations of XSS and CSRF"
Lack of role-based access checks allows for for unexpected file access, see 290915 contains multiple vulnerabilities including unauthenticated remote command execution
