Critical F5 TMUI Vulnerability CVE-2020-5902
Security vendor F5 have released details of a vulnerability in their Traffic Management User Interface (TMUI), also known as the Configuration Utility, that has a CVSS score of 10, the maximum severity possible. 
The vulnerability (CVE-2020-5902), brought to F5’s attention by Mikhail Klyuchnikov of Positive Technologies, affects a number of F5 products that use the TMUI and allows unauthenticated remote code execution, potentially leading to total system compromise, which accounts for the critical severity.
There is currently no known public exploit for the vulnerability, or examples of exploitation in the wild, but given F5’s position in the market as a supplier to leading financial institutions, CNI providers, and other high profile targets, it is reasonable to assume that an exploit may quickly be developed.
The BIG-IP product family uses the TMUI and is potentially vulnerable; BIG-IQ (software branches 5.x-7.x) and Traffix SDC (software branch 5.x) also use the TMUI but have been evaluated by F5 and determined to be not vulnerable. Users of BIG-IP products should refer to the Affected Products section for a full reference of affected versions, and cross reference against those in their environments.
Users with known vulnerable versions – including users leveraging public cloud marketplaces (AWS, Azure, GCP, and Alibaba) to deploy BIG-IP Virtual Edition – should upgrade to the respective version containing the patch, as shown in the Affected Products section. If the table only lists an older version than one currently in use, or doesn’t show a version that is not vulnerable, then no release candidate patch is available, and users should take steps to temporarily mitigate in the ‘All network interfaces’, ‘Self IPs’, and ‘Management Interface’ sections of the affected product, per the following advice from F5.
All network interfaces
To eliminate the ability for unauthenticated attackers to exploit this vulnerability, add a LocationMatch configuration element to httpd. To do so perform the following procedure:
Note: Authenticated users will still be able to exploit the vulnerability, independent of their privilege level.
Impact of workaround: Performing the following procedure should not have a negative impact on your system.
- Log in to the TMOS Shell (tmsh) by entering the following command:
- Edit the httpd properties by entering the following command:
edit /sys httpd all-properties
- Locate the include section and add the following:
include ' <LocationMatch ".*\.\.;.*"> Redirect 404 / </LocationMatch> '
- Write and save the changes to the configuration file by entering the following commands:
- Save the configuration by entering the following command:
save /sys config
- Restart the httpd service by entering the following command:
restart sys service httpd
Block all access to the TMUI of your BIG-IP system via Self IPs. To do so, you can change the Port Lockdown setting to Allow None for each Self IP in the system. If you must open any ports, you should use Allow Custom, taking care to disallow access to TMUI. By default, TMUI listens on TCP port 443; however, beginning in BIG-IP 13.0.0, Single-NIC BIG-IP VE deployments use TCP port 8443. Alternatively, a custom port may be configured.
Note: This prevents all access to the TMUI/Configuration utility via the Self IP. These changes may also impact other services.
Before making changes to the configuration of your Self IPs, refer to the following:
- K17333: Overview of port lockdown behavior (12.x – 15.x)
- K13092: Overview of securing access to the BIG-IP system
- K31003634: The Configuration utility of the Single-NIC BIG-IP Virtual Edition now defaults to TCP port 8443
- K51358480: The single-NIC BIG-IP VE may erroneously revert to the default management httpd port after a configuration reload
To mitigate this vulnerability for affected F5 products, you should only permit management access to F5 products over a secure network. For more information about securing access to BIG-IP systems, refer to K13309: Restricting access to the Configuration utility by source IP address (11.x – 15.x) and K13092: Overview of securing access to the BIG-IP system.
Note: Authenticated users accessing TMUI will always be able to exploit this vulnerability until a fixed release is installed.
Administrators should update affected systems as soon as possible or apply the recommended mitigation until the appropriate patch is available.