Prompt triage is recommended

UPDATED Network security appliance firm F5 has warned of a series of vulnerabilities affecting its BIG-IP products, including a cross-site scripting (XSS) vulnerability that’s said to pose a critical risk.

The vulnerability (CVE-2020-5948) means that “undisclosed endpoints in iControl REST allow for a reflected XSS attack”.

Prompt triage is recommended because failure to patch could result in “complete compromise of the BIG-IP system if the victim user is granted the admin role” and in the event of a successful attack.

Multiple BIG-IP versions are affected. Users need to update to branch versions
13.1.3.5, 14.1.2.8, 15.1.1 or 16.0.1 (as appropriate), as explained in an advisory from F5.

The vulnerability affects F5‘s Application Security Manager (ASM), a web application firewall; Local Traffic Manager (LTM), a load balancing product; Access Policy Manager (APM) authentication technology; and Application Acceleration Manager (AAM); among other product modules.

NVD gave the flaw a CVSSv3 score of 9.6, or critical - a rating F5 disputes.

An engineering representative from F5 told The Daily Swig: “We don’t know why NVD thinks this is a critical. F5 does not consider it to be, we scored it as a 7.5 high.”

FTP breakage

Another set of patches, also released by F5, address a denial-of-service risk to File Transfer Protocol (FTP) channel.

More specifically on “BIG-IP versions 14.0.0-14.0.1 and 13.1.0-13.1.3.4, certain traffic pattern sent to a virtual server configured with an FTP profile can cause the FTP channel to break”.

The vulnerability (CVE-2020-5949) earned a CVSS score of 7.5 (high risk).

Users are advised to upgrade to versions 13.1.3.5 or 14.1.0 as appropriate.

The third of final set of patches released on December 11 address a memory leak vulnerability.

This vulnerability (CVE-2020-27713) is limited to BIG-IP version 13.1.3.4 but has a high impact on affected modules.

A summary by NIST explains: “In certain configurations on version 13.1.3.4, when a BIG-IP AFM HTTP security profile is applied to a virtual server and the BIG-IP system receives a request with specific characteristics, the connection is reset and the Traffic Management Microkernel (TMM) leaks memory.”

In the line of fire

Security industry watchers have had F5’s vulnerabilities and exploitation on their radar for some months because they have become fodder for sustained malfeasance.

In July 2020, F5 warned a remote code execution (RCE) vulnerability (CVE-2020-5902) in the BIG-IP Traffic Management User Interface (TMUI) could be used to hijack vulnerable systems.

The CVE-2020-5902 vulnerability has since become the target of mass scanning as well as assaults linked to Chinese and Iranian state-backed hacker.


This story was updated to add comment from F5


RELATED F5 customers urged to patch systems as critical BIG-IP flaw is actively exploited