Mikhail Klyuchnikov, a security researcher from Positive Technology, the company that discovered the vulnerability and reported it to F5 Networks told that the flaw existed in a configuration utility (Traffic management User Interface) which is present inside the BIG-IP Application Delivery Controller. The vulnerability named CVE-2020-5902 is classified as a critical vulnerability. It has a CVSS score of 10 out of 10. This vulnerability could enable remote attackers to gain control of the systems and ultimately commandeering the data streams.
The attack vector for CVE-2020-5902
To exploit this vulnerability an attacker can send a malicious HTTP request to the server which hosts Traffic management User Interface tool that is used to configure the BIG-IP system. After bypassing the security safeguards attackers can gain full access to the compromised server and execute commands without further authentication requirements.
Creating and deleting files, executing Java code, command services, and do virtually anything as well as accessing the internal network after taking control of the BIG-IP system.
ADC XSS Flaw
There is also another vulnerability that has a score of 7.5 out of 10, which is an XSS that allow attackers to run JavaScript code as if they were a logged-in administrator. This flaw is named CVE-2020-5903 and has been addressed as the previous flaw before made into the public.
To mitigate these attacks system administrators are advised to update their software versions if they are running 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, or 15.1.x versions of the software to 1.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, or 15.1.0.4 versions, respectively. If a virtual Edition of the F% BIG-IP is used, users are also advised to the latest version accordingly through their cloud provider like Azure, AWS, or Alibaba.