F5 issues fixes for major cybersecurity flaw

(Image credit: F5 Networks)

F5 has issued patches for its BIG-IP application delivery controllers after a security researcher discovered two critical vulnerabilities in its software.

The vulnerabilities, tracked as CVE-2020-5902 and CVE-2020-5903, reside in a configuration tool known as the Traffic Management User Interface and exploiting them could allow an attacker to gain full admin control over a vulnerable device.

The first vulnerability has a CVSS score of 10 out of 10 and puts F5's networking equipment at risk of arbitrary code execution while the second one has a CVSS score of 7.5 and is a JavaScript-based cross-site scripting (XSS) vulnerability.

What makes these flaws particularly concerning is due to the fact that many large enterprises use BIG-IP gear to handle sending traffic to and from their critical applications. An attack that successfully exploited these vulnerabilities could potentially be disastrous for the many of the Fortune 500 companies that are customers of F5.

BIG-IP application delivery controller

The flaws themselves were first discovered by senior web application security researcher Mikhail Klyuchnikov at Positive Technologies who provided further insight on them in a blog post, saying:

“By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution. The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network. RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation. This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan. Fortunately, most companies using the product do not enable access to the interface from the internet."

Network admins are advised to update their firmware as soon as possible to avoid falling victim to any potential attacks leveraging the two vulnerabilities.

The flaws are present in BIG-IP versions 11 through 15 and those using the company's networking equipment can find more details on how to patch them in this security bulletin as well as this one from F5 Networks.

Via The Register

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
iPhone 13 mini
The iPhone mini won't be returning, according to rumors – and you think that's a mistake