Forum Discussion
NimbostratusCommunity Question: K52145254: TMUI RCE vulnerability CVE-2020-5902
Editors Note: Authoritative answers for this CVE can be found at https://support.f5.com/csp/article/K52145254. -LZ.
This vulnerability was recently announced and steps were take as suggested (obviously!). If we see the Impact as mentioned:-
"This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise.The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected."
Don't we want the authenticated admin to restart the services if and when required?
Also, one of the remedial steps as suggested is to edit the httpd properties as shown in document.
How does that stop an genuine authenticated (admin) user on LAN network or VPN who tries to restart the services ?
3 Replies
- Samir
MVP
This is very good document for reference: https://devcentral.f5.com/s/articles/Traffic-Management-User-Interface-Vulnerability-How-to-fix-it?srcHeader
Kb Article : https://support.f5.com/csp/article/K52145254
Amresh008Samir, I have already gone through this document but this does not answer my query. One of my colleagues spoke to TAC and narrated me that as per TAC this vulnerability may allow (let's say an L1 engineer) with no actual rights to modify the services, can actually modify them.
- nmb-AskF5
Employee
This is noted in the official Security Advisory, as of last week:
"Note: Authenticated users will still be able to exploit the vulnerability, independent of their privilege level."
Please refer to the official Security Advisory on AskF5 linked above for more detail on how to install a point release to patch the vulnerability. Thanks!
