How to remediate and test TMUI RCE vulnerability
CVE-2020-5902 ?
CVE-2020-5902 ?
F5 Codes affected :
11.x to 15.x except 15.1.0.4, 14.1.2.6, 13.1.3.4, 12.1.5.2 and 11.6.5.2
How to test you are affected with this vulnerability?
https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/hosts
https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license
https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.conf
https:///tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin
How to fix this ?
Ofcoz its a code upgrade to the fixed version, but its not easy to plan this over night...
What would be the workaround ?
It’s a 3-step approach (as of now), priority in order....
1. Secure your Self IP with Port lockdown enabled, set to none (preferably) or custom as per requirements (don’t allow configuration utility ports, usually 443 or 8443 (for BIG-IP 13.x Single NIC BIG-IP Virtual Edition (VE)). This will help to avoid any attacks by exploiting this vulnerability from INTERNET.
2. Allow management access only from a secure network.
3. Enable location match settings (This is not covering all, not every effective completely. However, better than nothing), regex to match is was ".*\.\.;.*" and later corrrect to ";"
However, this can be still exploited as per the latest research.
a. edit /sys httpd all-properties
b. replace the line “include none” by following and save the file
c. save /sys config
d. restart sys service httpd
How to check the attempts of exploitation ?
Versions till to 14.1.0:
In versions earlier than 14.1.0, with the default configuration, you can check logs in /var/log/audit and /var/log/ltm as follows.
grep -i '%tmui' /var/log/audit
grep -i '%tmui' /var/log/ltm
Log entries similar to the following are an indication of possible compromise:
audit.1:Jul 7 18:43:12 [REDACTED] notice tmsh[27903]: 04426005:5: AUDIT - Cannot load user credentials for user "%tmui" Current session has been terminated.
ltm.1:Jul 7 18:43:12 [REDACTED] notice tmsh[27903]: 04426006:5: Cannot load user credentials for user "%tmui" Current session has been terminated.
Versions 14.1.0 and up
In version 14.1.0 and up, you can examine the output of journalctl for evidence of attempts to exploit this vulnerability by issuing the command bash
journalctl /bin/logger | grep -F ';'
Output may appear similar to the following example on a device
Jul 07 22:23:07 hostname logger[29929]: [ssl_acc] nnn.nnn.nnn.nnn - - [07/Jul/2020:22:23:07 +0000] "/[REDACTED]/..;/[REDACTED]" 200 252
If any log entries are visible similar to above, it's an indication of exploiting the BIG-IP system.
Versions till to 14.1.0:
In versions earlier than 14.1.0, with the default configuration, you can check logs in /var/log/audit and /var/log/ltm as follows.
grep -i '%tmui' /var/log/audit
grep -i '%tmui' /var/log/ltm
Log entries similar to the following are an indication of possible compromise:
audit.1:Jul 7 18:43:12 [REDACTED] notice tmsh[27903]: 04426005:5: AUDIT - Cannot load user credentials for user "%tmui" Current session has been terminated.
ltm.1:Jul 7 18:43:12 [REDACTED] notice tmsh[27903]: 04426006:5: Cannot load user credentials for user "%tmui" Current session has been terminated.
Versions 14.1.0 and up
In version 14.1.0 and up, you can examine the output of journalctl for evidence of attempts to exploit this vulnerability by issuing the command bash
journalctl /bin/logger | grep -F ';'
Output may appear similar to the following example on a device
Jul 07 22:23:07 hostname logger[29929]: [ssl_acc] nnn.nnn.nnn.nnn - - [07/Jul/2020:22:23:07 +0000] "/[REDACTED]/..;/[REDACTED]" 200 252
If any log entries are visible similar to above, it's an indication of exploiting the BIG-IP system.
Last but not the least, its always a good idea to chain of security (multi vendor), so that you will not get hit by a vulnerability directly, eg: FW ->IPS->BIGIP in this case.... Sigh!
