This is an important vulnerability to understand even if you don’t use F5 products because you certainly do use other products that share the same vulnerable components as the F5 BIG-IP products. There are a ton of lessons to be learned from this exploit that can be applied broadly. One lesson in particular is that we really should assume that all products we use harbor the same secure coding violations that underly CVE-2020-5902 and take pre-emptive action to limit risk.
The speed with which this exploit developed recalls, “Information wants to be free”. That old movie line is appropriated for different causes, but it also captures a fundamental truth about information – it leaks out one way or another. CVE-2020-5902’s exploit details very quickly became public even though responsible disclosure was followed. It’s a classic example of where the tiny bit of information revealed in a vendor’s mitigation recommendation gives attackers all they need to find the exploit.
While waiting to patch, F5 recommended that customers configure a rule to block posts to any URL containing to dots followed by a semicolon, as in
..;
Any hacker recognizes .. as “go to parent directory” so you can’t hide that this exploit involves directory traversal. The semicolon is just a way of triggering the Traversal, allowing you to call another JSP and bypassing auth. It doesn't strictly allow for command injection. We use the built in tmshCmd.jsp and fileSave.jsp to achieve code execution.
It took just days for researchers to publish POCs (proof of concepts), exploits to be detected in the wild and for Metasploit modules to appear. This one is so simple to find and exploit that one person pointed out that “If the exploit fits in a tweet, you know it’s pretty bad lmao”.
In this webinar I’ll be joined by the very knowledgeable Kev Breen (@KevTheHermit) from Immersive Labs and experienced red teamer Evan Anderson (@syndrowm) from Randori. These guys know their stuff. Together we will deconstruct CVE-2020-5902. Some of the points I think you will really enjoy, include:
- How the exploit works
- How Java and Apache fits into the vulnerability
- How to use the exploit to download or upload files or run arbitrary shell commands
- Why supposedly hardened Internet facing appliances like F5’s BIG-IP contain such simple but powerful security holes
- How it’s similar to the recent Citrix and crucial differences
- How following best practices like attack surface management works
Evan will lead a valuable discussion about why we need to assume all products are vulnerable to weaknesses like those behind CVE-2020-5902– and if that’s the case, what we can do about it proactively and strategically even before such holes are found to ensure we’re prepared.
Kev will demonstrate this vulnerability using a hand-on lab he’s created in Immersive Labs platform that allows you to role play as a blue or red teamer using CVE-2020-5902.
This real training for free event will be jam packed with technical detail and real-world application. Please register now.