Using BIG-IQ to Address the CVE-2020-5902 Vulnerability
As you’re probably already aware, a critical vulnerability was recently discovered within the BIG-IP Traffic Management User Interface (TMUI). In a nutshell, TMUI—sometimes known as the Configuration Utility—has a Remote Code Execution (RCE) vulnerability that can result in a complete system compromise through the ability to:
- Execute system commands
- Create or delete files
- Disable services
- Execute arbitrary Java code
The most critical cases involve BIG-IP systems whose management port and/or self IPs are exposed to the open internet. In these cases, it’s best to assume a breach/compromise scenario and respond accordingly—refer to your organization’s incident response plan. However, even those BIG-IPs that aren’t internet-facing and running in Appliance mode, are still vulnerable.In short, this is an issue that all BIG-IP customers need to address immediately.
Fixing the problem
F5 has released several resources to help our customers who’ve been affected by this issue. We recommend getting started here on AskF5. In addition to the resources highlighted in the AskF5 article, our DevCentral team has facilitated some video resources and curated answers to the many questions we have received.The first link provides a matrix that outlines which versions of BIG-IP were affected by the vulnerability. To eliminate this issue completely, the recommended course of action is to update/install a new, fixed version of BIG-IP—these fixed versions are listed in the same matrix. If updates cannot be performed quickly, there are other mitigation techniques that can be employed that are listed on the AskF5 article.
A couple of the strategies highlighted in the resources above center around BIG-IQ, F5’s powerful solution for unified visibility and management of BIG-IP. BIG-IQ can be especially useful in the context of addressing the CVE-2020-5902 vulnerability as it makes the management of many BIG-IPs much easier and programmatic. With BIG-IQ’s single UI, you can employ two effective CVE-2020-5902 mitigation strategies:
- Running a bash script on BIG-IQ managed devices
- Upgrading/updating managed devices to new BIG-IP software versions
The bash approach
For those that aren’t ready for a full upgrade of their affected BIG-IPs, leveraging a script that mitigates the vulnerability—at least until such time that a highly recommended upgrade can be performed—is a good strategy. BIG-IQ makes this process simple. You can find the script referenced in the video on github - https://github.com/usrlocalbins/Big-IQ-scripts.
The upgrade/update approach
As we mentioned before, the recommended method is to update your BIG-IP software to a “fixed” version. Beyond CVE-2020-5902, running updated/upgraded versions of software is good practice as it ensures you:
- Get the latest features and capabilities
- Are protected from identified threats, vulnerabilities, and bad actors
- Remain in compliance
- Are eligible for support and expert help
- Keep maintenance costs down
- Sidestep compatibility issues with legacy software
The process for updating managed (many) BIG-IPs with BIG-IQ is very straightforward and greatly reduces the time, effort, and manual errors associated with a piecemeal BIG-IP upgrade approach—especially for those with large BIG-IP portfolios.