CVE-2020-5902 F5 Big-IP – K52145254: TMUI RCE vulnerability

Published: 2020-07-01
MITRE CVE-2020-5902

“The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.”

“This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.”

CVSS Base score: 10 of 10

Basefarm is tracking the internal work with the vulnerability as BF-VLN-2077661. We have gone through the CVSS-calculator and made an Environmental score for our own prioritization as Basefarm does not expose the vulnerable TMUI, management port and/or Self IP to public traffic. We do not recommend anyone exposes the TMUI, management port and/or Self IP to the public internet, this should be on a management VLAN only reachable after authentication with multi-factor authentication. The reason for this is exactly the risks of vulnerabilities like this.

The recommended way to fix this is to upgrade to a newer version, but there also exists a temporary workaround. We refer to the BigIP knowledge-base article for details about this.