Introduction

BIG-IP ADC is being used by large enterprises, data centers, and cloud computing environments, allowing them to implement application acceleration, load balancing, rate shaping, SSL offloading, and web application firewall.

The vulnerability, assigned CVE-2020-5902 and rated as critical with a CVSS score of 10 out of 10, could let remote attackers take complete control of the targeted systems, eventually gaining surveillance over the application data they manage.

What is RCE?

Like its name very well says, Remote Code Execution (also known as Remote Code Evaluation) is a vulnerability that allows attackers to access a third party’s systems and read or delete their contents, make changes, or otherwise take advantage of their computers by running code on them – regardless of where they are physically located.

Essentially, by having an app or server that are vulnerable to RCE you’re giving an attacker not only access to your server and a whole lot of data stored on it, but also the ability to use it for malicious purposes, such as attacking other systems with it.

What is OS command injection, and how to prevent it? | Web ...
From BurpSuite

How does RCE work?

RCEs can be exploited when user input is executed by the programming language’s parser. This means that user input is read as part of the code, and executed as such. Although this is generally considered bad practice, it is sometimes done intentionally by developers to allow users to access certain functions of the programming language. 

How does the F5 BIG-IP ADC RCE Flaw (CVE-2020-5902) work?

An unauthenticated attacker can remotely exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

Successful exploitation of this vulnerability could allow attackers to gain full admin control over the device, eventually making them do any task they want on the compromised device without any authorization.

From thehackernews

The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network.

RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation

As of June 2020, more than 8,000 devices have been identified online as being exposed directly to the internet, of which 40% reside in the United States, 16% in China, 3% in Taiwan, 2.5% in Canada and Indonesia and less than 1% in Russia.

Affected companies and administrators relying on vulnerable BIG-IP versions 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x are strongly recommended to update their devices to the latest versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.1.0.4 as soon as possible.

Moreover, users of public cloud marketplaces like AWS (Amazon Web Services), Azure, GCP, and Alibaba are also advised to switch to BIG-IP Virtual Edition (VE) versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, or 15.1.0.4, as soon as they are available.