What is it about?
The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
The vulnerability, assigned CVE-2020-5902 and rated as critical with a CVSS score of 10 out of 10
Also, a Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. CVE-2020-5903
What is the impact of this attack?
This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.
XSS:
An attacker can exploit this vulnerability to run JavaScript in the context of the currently logged-in user. In the case of an administrative user with access to the Advanced Shell (bash), successful exploitation of this vulnerability can be leveraged to completely compromise the BIG-IP system through Remote Code Execution.
Affected product versions:
BIG-IP versions 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x
What organisations should do as part of mitigation and prevention actions:
Are strongly recommended to update the devices to the latest versions 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.1.0.4 as soon as possible.
You can find more information regarding the vulnerability in F5 support article:
https://support.f5.com/csp/article/K52145254
https://support.f5.com/csp/article/K43638305
