F5 patches vulnerability that received a CVSS 10 severity score

Image: ZDNet

F5 Networks, one of the world’s largest provider of enterprise networking gear, has published a security advisory this week warning customers to patch a dangerous security flaw that is very likely to be exploited.

The vulnerability impacts the company’s BIG-IP product. These are multi-purpose networking devices that can work as web traffic shaping systems, load balancers, firewalls, access gateways, rate limiters, or SSL middleware.

BIP-IP is one of the most popular networking products in use today. They are used in government networks all over the globe, on the networks of internet service providers, inside cloud computing data centers, and widely across enterprise networks.

On its website, F5 says its BIG-IP devices are used on the networks of 48 companies included in the Fortune 50 list.


Tracked as CVE-2020-5902, the BIG-IP bug was found and privately reported to F5 by Mikhail Klyuchnikov, a security researcher at Positive Technologies.

The bug is a so-called “remote code execution” vulnerability in BIG-IP’s management interface, known as TMUI (Traffic Management User Interface).

Attackers can exploit this bug over the internet to gain access to the TMUI component, which runs on top of a Tomcat server on BIG-IP’s Linux-based operating system.

Hackers don’t need valid credentials to attack devices, and a successful exploit can allow intruders to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code — and eventually lead to attackers gaining full control over the BIG-IP device.

The vulnerability is so dangerous that it received the rare 10 out of 10 score on the CVSSv3 vulnerability severity scale. This score means the security bug is easy to exploit, automate, can be used over the internet, and doesn’t require valid credentials or advanced coding skills to take advantage of.

As a coincidence, this was the second 10/10 CVSS bug in a networking device disclosed this week, after a similar critical bug was revealed to impact Palo Alto Networks VPN and firewall devices on Monday.

Need for urgent patching

US Cyber Command issued a warning to the private and government sector this week to patch the Palo Alto bug — as they expected that foreign state hackers would attempt to exploit the vulnerability.

No official warning was issued by a US cyber-security agency, but the F5 bug is no less severe and just as dangerous as the Palo Alto one.

“The urgency of patching this [bug] cannot be understated,” said on Twitter this week Nate Warfield, a former F5 Networks engineer, and currently a security researcher at Microsoft.

“A common use of their technology is SSL offloading,” he added. “Full compromise of a system could, in theory, allow someone to snoop on unencrypted traffic inside the device.

“Their [management] OS is Linux based, and like most ADCs (application delivery controllers), they are deployed in core, high-access parts of networks.”

Currently, according to a Shodan search, there are around 8,400 BIG-IP devices connected online.

At the time of writing, several companies and security researchers in the cyber-security community have told ZDNet that they have not detected any attacks targeting these devices; but they fully expect attacks to begin soon, especially if a proof-of-concept exploit code is shared publicly online.

The F5 security for the CVE-2020-5902 BIG-IP TMUI RCE is available here, with information on vulnerable firmware versions and patches.

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Millions in Cryptocurrency Stolen by Scammers in the Last Month According to Tenable Research
November 24, 2021
Behind The Scenes: How this Crypto Community Responded to + $50m Hack
October 18, 2021
Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021

Blockchain/Cryptocurrency Questions and Answers

Crypto casinos
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
The Unconventional Guide to Ethereum
October 28, 2021
ICo Presale
The Science Behind ICO Presales…
October 14, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin53,649 0.17 % 5.41 % 8.91 %
Ethereum4,236.0 0.02 % 6.69 % 6.20 %
Binance Coin595.59 0.04 % 4.22 % 6.67 %
Tether0.9986 0.03 % 0.08 % 0.23 %
Solana213.21 0.70 % 8.66 % 1.63 %
Cardano1.570 0.34 % 8.50 % 6.69 %
XRP0.9275 0.06 % 4.86 % 11.03 %
USD Coin1.000 0.14 % 0.20 % 0.17 %
Polkadot30.87 2.19 % 17.29 % 10.73 %
Dogecoin0.2215 0.68 % 1.42 % 7.23 %

Bitcoin (BTC) $ 53,607.00
Ethereum (ETH) $ 4,236.07
Binance Coin (BNB) $ 594.89
Tether (USDT) $ 1.00
Solana (SOL) $ 214.02
Cardano (ADA) $ 1.57
XRP (XRP) $ 0.927736
USD Coin (USDC) $ 0.999723
Polkadot (DOT) $ 33.75
Dogecoin (DOGE) $ 0.200748