严重 F5 BIG-IP TMUI 远程命令执行漏洞

CVE编号

CVE-2020-5902

利用情况

POC 已公开

补丁情况

没有补丁

披露时间

2020-07-02

漏洞描述

在BIG-IP版本15.0.0-15.1.0.3、14.1.0-14.1.2.5、13.1.0-13.1.3.3、12.1.0-12.1.5.1和11.6.1-11.6.5.1中，流量管理用户接口（TMUI），也称为配置实用程序，在未公开的页面中具有远程执行代码（RCE）漏洞。

解决建议

更新至最新版本

参考链接
http://packetstormsecurity.com/files/158333/BIG-IP-TMUI-Remote-Code-Execution.html
http://packetstormsecurity.com/files/158334/BIG-IP-TMUI-Remote-Code-Execution.html
http://packetstormsecurity.com/files/158366/F5-BIG-IP-TMUI-Directory-Traversa...
http://packetstormsecurity.com/files/158414/Checker-CVE-2020-5902.html
http://packetstormsecurity.com/files/158581/F5-Big-IP-13.1.3-Build-0.0.6-Loca...
http://packetstormsecurity.com/files/175671/F5-BIG-IP-TMUI-Directory-Traversa...
https://badpackets.net/over-3000-f5-big-ip-endpoints-vulnerable-to-cve-2020-5902/
https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902
https://support.f5.com/csp/article/K52145254
https://swarm.ptsecurity.com/rce-in-f5-big-ip/
https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
https://www.kb.cert.org/vuls/id/290915

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	*	From (including) 11.6.1	Up to (excluding) 11.6.5.2
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	*	From (including) 12.1.0	Up to (excluding) 12.1.5.2
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	*	From (including) 13.1.0	Up to (excluding) 13.1.3.4
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	*	From (including) 14.1.0	Up to (excluding) 14.1.2.6
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	*	From (including) 15.0.0	Up to (including) 15.0.1.4
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	*	From (including) 15.1.0	Up to (excluding) 15.1.0.4
	运行在以下环境
	应用	f5	big-ip_advanced_firewall_manager	*	From (including) 11.6.1	Up to (excluding) 11.6.5.2
	运行在以下环境
	应用	f5	big-ip_advanced_firewall_manager	*	From (including) 12.1.0	Up to (excluding) 12.1.5.2
	运行在以下环境
	应用	f5	big-ip_advanced_firewall_manager	*	From (including) 13.1.0	Up to (excluding) 13.1.3.4
	运行在以下环境
	应用	f5	big-ip_advanced_firewall_manager	*	From (including) 14.1.0	Up to (excluding) 14.1.2.6
	运行在以下环境
	应用	f5	big-ip_advanced_firewall_manager	*	From (including) 15.0.0	Up to (excluding) 15.0.1.4
	运行在以下环境
	应用	f5	big-ip_advanced_firewall_manager	*	From (including) 15.1.0	Up to (excluding) 15.1.0.4
	运行在以下环境
	应用	f5	big-ip_advanced_web_application_firewall	*	From (including) 11.6.1	Up to (excluding) 11.6.5.2
	运行在以下环境
	应用	f5	big-ip_advanced_web_application_firewall	*	From (including) 12.1.0	Up to (excluding) 12.1.5.2
	运行在以下环境
	应用	f5	big-ip_advanced_web_application_firewall	*	From (including) 13.1.0	Up to (excluding) 13.1.3.4
	运行在以下环境
	应用	f5	big-ip_advanced_web_application_firewall	*	From (including) 14.1.0	Up to (excluding) 14.1.2.6
	运行在以下环境
	应用	f5	big-ip_advanced_web_application_firewall	*	From (including) 15.0.0	Up to (excluding) 15.0.1.4
	运行在以下环境
	应用	f5	big-ip_advanced_web_application_firewall	*	From (including) 15.1.0	Up to (excluding) 15.1.0.4
	运行在以下环境
	应用	f5	big-ip_analytics	*	From (including) 11.6.1	Up to (excluding) 11.6.5.2
	运行在以下环境
	应用	f5	big-ip_analytics	*	From (including) 12.1.0	Up to (excluding) 12.1.5.2
	运行在以下环境
	应用	f5	big-ip_analytics	*	From (including) 13.1.0	Up to (excluding) 13.1.3.4
	运行在以下环境
	应用	f5	big-ip_analytics	*	From (including) 14.1.0	Up to (excluding) 14.1.2.6
	运行在以下环境
	应用	f5	big-ip_analytics	*	From (including) 15.0.0	Up to (excluding) 15.0.1.4
	运行在以下环境
	应用	f5	big-ip_analytics	*	From (including) 15.1.0	Up to (excluding) 15.1.0.4
	运行在以下环境
	应用	f5	big-ip_application_acceleration_manager	*	From (including) 11.6.1	Up to (excluding) 11.6.5.2
	运行在以下环境
	应用	f5	big-ip_application_acceleration_manager	*	From (including) 12.1.0	Up to (excluding) 12.1.5.2
	运行在以下环境
	应用	f5	big-ip_application_acceleration_manager	*	From (including) 13.1.0	Up to (excluding) 13.1.3.4
	运行在以下环境
	应用	f5	big-ip_application_acceleration_manager	*	From (including) 14.1.0	Up to (excluding) 14.1.2.6
	运行在以下环境
	应用	f5	big-ip_application_acceleration_manager	*	From (including) 15.0.0	Up to (excluding) 15.0.1.4
	运行在以下环境
	应用	f5	big-ip_application_acceleration_manager	*	From (including) 15.1.0	Up to (excluding) 15.1.0.4
	运行在以下环境
	应用	f5	big-ip_application_security_manager	*	From (including) 11.6.1	Up to (excluding) 11.6.5.2
	运行在以下环境
应用	f5	big-ip_application_security_manager	*	From (including) 12.1.0	Up to (excluding) 12.1.5.2
运行在以下环境
应用	f5	big-ip_application_security_manager	*	From (including) 13.1.0	Up to (excluding) 13.1.3.4
运行在以下环境
应用	f5	big-ip_application_security_manager	*	From (including) 14.1.0	Up to (excluding) 14.1.2.6
运行在以下环境
应用	f5	big-ip_application_security_manager	*	From (including) 15.0.0	Up to (excluding) 15.0.1.4
运行在以下环境
应用	f5	big-ip_application_security_manager	*	From (including) 15.1.0	Up to (excluding) 15.1.0.4
运行在以下环境
应用	f5	big-ip_ddos_hybrid_defender	*	From (including) 11.6.1	Up to (excluding) 11.6.5.2
运行在以下环境
应用	f5	big-ip_ddos_hybrid_defender	*	From (including) 12.1.0	Up to (excluding) 12.1.5.2
运行在以下环境
应用	f5	big-ip_ddos_hybrid_defender	*	From (including) 13.1.0	Up to (excluding) 13.1.3.4
运行在以下环境
应用	f5	big-ip_ddos_hybrid_defender	*	From (including) 14.1.0	Up to (excluding) 14.1.2.6
运行在以下环境
应用	f5	big-ip_ddos_hybrid_defender	*	From (including) 15.0.0	Up to (excluding) 15.0.1.4
运行在以下环境
应用	f5	big-ip_ddos_hybrid_defender	*	From (including) 15.1.0	Up to (excluding) 15.1.0.4
运行在以下环境
应用	f5	big-ip_domain_name_system	*	From (including) 11.6.1	Up to (excluding) 11.6.5.2
运行在以下环境
应用	f5	big-ip_domain_name_system	*	From (including) 12.1.0	Up to (excluding) 12.1.5.2
运行在以下环境
应用	f5	big-ip_domain_name_system	*	From (including) 13.1.0	Up to (excluding) 13.1.3.4
运行在以下环境
应用	f5	big-ip_domain_name_system	*	From (including) 14.1.0	Up to (excluding) 14.1.2.6
运行在以下环境
应用	f5	big-ip_domain_name_system	*	From (including) 15.0.0	Up to (excluding) 15.0.1.4
运行在以下环境
应用	f5	big-ip_domain_name_system	*	From (including) 15.1.0	Up to (excluding) 15.1.0.4
运行在以下环境
应用	f5	big-ip_fraud_protection_service	*	From (including) 11.6.1	Up to (excluding) 11.6.5.2
运行在以下环境
应用	f5	big-ip_fraud_protection_service	*	From (including) 12.1.0	Up to (excluding) 12.1.5.2
运行在以下环境
应用	f5	big-ip_fraud_protection_service	*	From (including) 13.1.0	Up to (excluding) 13.1.3.4
运行在以下环境
应用	f5	big-ip_fraud_protection_service	*	From (including) 14.1.0	Up to (excluding) 14.1.2.6
运行在以下环境
应用	f5	big-ip_fraud_protection_service	*	From (including) 15.0.0	Up to (excluding) 15.0.1.4
运行在以下环境
应用	f5	big-ip_fraud_protection_service	*	From (including) 15.1.0	Up to (excluding) 15.1.0.4
运行在以下环境
应用	f5	big-ip_global_traffic_manager	*	From (including) 11.6.1	Up to (excluding) 11.6.5.2
运行在以下环境
应用	f5	big-ip_global_traffic_manager	*	From (including) 12.1.0	Up to (excluding) 12.1.5.2
运行在以下环境
应用	f5	big-ip_global_traffic_manager	*	From (including) 13.1.0	Up to (excluding) 13.1.3.4
运行在以下环境
应用	f5	big-ip_global_traffic_manager	*	From (including) 14.1.0	Up to (excluding) 14.1.2.6
运行在以下环境
应用	f5	big-ip_global_traffic_manager	*	From (including) 15.0.0	Up to (excluding) 15.0.1.4
运行在以下环境
应用	f5	big-ip_global_traffic_manager	*	From (including) 15.1.0	Up to (excluding) 15.1.0.4
运行在以下环境
应用	f5	big-ip_link_controller	*	From (including) 11.6.1	Up to (excluding) 11.6.5.2
运行在以下环境
应用	f5	big-ip_link_controller	*	From (including) 12.1.0	Up to (excluding) 12.1.5.2
运行在以下环境
应用	f5	big-ip_link_controller	*	From (including) 13.1.0	Up to (excluding) 13.1.3.4
运行在以下环境
应用	f5	big-ip_link_controller	*	From (including) 14.1.0	Up to (excluding) 14.1.2.6
运行在以下环境
应用	f5	big-ip_link_controller	*	From (including) 15.0.0	Up to (excluding) 15.0.1.4
运行在以下环境
应用	f5	big-ip_link_controller	*	From (including) 15.1.0	Up to (excluding) 15.1.0.4
运行在以下环境
应用	f5	big-ip_local_traffic_manager	*	From (including) 11.6.1	Up to (excluding) 11.6.5.2
运行在以下环境
应用	f5	big-ip_local_traffic_manager	*	From (including) 12.1.0	Up to (excluding) 12.1.5.2
运行在以下环境
应用	f5	big-ip_local_traffic_manager	*	From (including) 13.1.0	Up to (excluding) 13.1.3.4
运行在以下环境
应用	f5	big-ip_local_traffic_manager	*	From (including) 14.1.0	Up to (excluding) 14.1.2.6
运行在以下环境
应用	f5	big-ip_local_traffic_manager	*	From (including) 15.0.0	Up to (excluding) 15.0.1.4
运行在以下环境
应用	f5	big-ip_local_traffic_manager	*	From (including) 15.1.0	Up to (excluding) 15.1.0.4
运行在以下环境
应用	f5	big-ip_policy_enforcement_manager	*	From (including) 11.6.1	Up to (excluding) 11.6.5.2
运行在以下环境
应用	f5	big-ip_policy_enforcement_manager	*	From (including) 12.1.0	Up to (excluding) 12.1.5.2
运行在以下环境
应用	f5	big-ip_policy_enforcement_manager	*	From (including) 13.1.0	Up to (excluding) 13.1.3.4
运行在以下环境
应用	f5	big-ip_policy_enforcement_manager	*	From (including) 14.1.0	Up to (excluding) 14.1.2.6
运行在以下环境
应用	f5	big-ip_policy_enforcement_manager	*	From (including) 15.0.0	Up to (excluding) 15.0.1.4
运行在以下环境
应用	f5	big-ip_policy_enforcement_manager	*	From (including) 15.1.0	Up to (excluding) 15.1.0.4
运行在以下环境
应用	f5	ssl_orchestrator	*	From (including) 11.6.1	Up to (excluding) 11.6.5.2
运行在以下环境
应用	f5	ssl_orchestrator	*	From (including) 12.1.0	Up to (excluding) 12.1.5.2
运行在以下环境
应用	f5	ssl_orchestrator	*	From (including) 13.1.0	Up to (excluding) 13.1.3.4
运行在以下环境
应用	f5	ssl_orchestrator	*	From (including) 14.1.0	Up to (excluding) 14.1.2.6
运行在以下环境
应用	f5	ssl_orchestrator	*	From (including) 15.0.0	Up to (excluding) 15.0.1.4
运行在以下环境
应用	f5	ssl_orchestrator	*	From (including) 15.1.0	Up to (excluding) 15.1.0.4

阿里云评分 9.8

• 攻击路径 远程
• 攻击复杂度 容易
• 权限要求 无需权限
• 影响范围 全局影响
• EXP成熟度 POC 已公开
• 补丁情况 没有补丁
• 数据保密性 数据泄露
• 数据完整性 传输被破坏
• 服务器危害 服务器失陷
• 全网数量 N/A

CWE-ID	漏洞类型
CWE-22	对路径名的限制不恰当（路径遍历）
CWE-829	从非可信控制范围包含功能例程
CWE-94	对生成代码的控制不恰当（代码注入）

Exp相关链接

• https://github.com//yassineaboukir/CVE-2020-5902
• https://github.com/0xAbdullah/CVE-2020-5902
• https://github.com/ajdumanhug/CVE-2020-5902
• https://github.com/Al1ex/CVE-2020-5902
• https://github.com/Any3ite/CVE-2020-5902-F5BIG
• https://github.com/aqhmal/CVE-2020-5902-Scanner
• https://github.com/ar0dd/CVE-2020-5902
• https://github.com/corelight-ricky/CVE-2020-5902-F5BigIP
• https://github.com/corelight/CVE-2020-5902-F5BigIP
• https://github.com/cristiano-corrado/f5_scanner
• https://github.com/cybersecurityworks553/scanner-CVE-2020-5902
• https://github.com/d4rk007/F5-Big-IP-CVE-2020-5902-mass-exploiter
• https://github.com/deepsecurity-pe/GoF5-CVE-2020-5902
• https://github.com/dnerzker/CVE-2020-5902
• https://github.com/dunderhay/CVE-2020-5902
• https://github.com/dwisiswant0/CVE-2020-5902
• https://github.com/EtoYoshio/t_pwn
• https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker
• https://github.com/faisalfs10x/F5-BIG-IP-CVE-2020-5902-checker
• https://github.com/faisalfs10x/F5-BIG-IP-CVE-2020-5902-shodan-scanner
• https://github.com/GoodiesHQ/F5-Patch
• https://github.com/GovindPalakkal/EvilRip
• https://github.com/halencarjunior/f5scan
• https://github.com/inho28/CVE-2020-5902-F5-BIGIP
• https://github.com/itsjeffersonli/CVE-2020-5902
• https://github.com/JaneMandy/CVE-2020-5902
• https://github.com/jas502n/CVE-2020-5902
• https://github.com/jiansiting/CVE-2020-5902
• https://github.com/jinnywc/CVE-2020-5902
• https://github.com/JSec1337/RCE-CVE-2020-5902
• https://github.com/k3nundrum/CVE-2020-5902
• https://github.com/lijiaxing1997/CVE-2020-5902-POC-EXP
• https://github.com/ludy-dev/BIG-IP-F5-TMUI-RCE-Vulnerability
• https://github.com/momika233/cve-2020-5902
• https://github.com/MrCl0wnLab/checker-CVE-2020-5902
• https://github.com/murataydemir/CVE-2020-5902
• https://github.com/nsflabs/CVE-2020-5902
• https://github.com/PushpenderIndia/CVE-2020-5902-Scanner
• https://github.com/pwnhacker0x18/CVE-2020-5902-Mass
• https://github.com/qiong-qi/CVE-2020-5902-POC
• https://github.com/qlkwej/poc-CVE-2020-5902
• https://github.com/r0ttenbeef/cve-2020-5902
• https://github.com/renanhsilva/checkvulnCVE2020590
• https://github.com/rockmelodies/CVE-2020-5902-rce-gui
• https://github.com/rwincey/CVE-2020-5902-NSE
• https://github.com/Shu1L/CVE-2020-5902-fofa-scan
• https://github.com/superzerosec/cve-2020-5902
• https://github.com/sv3nbeast/CVE-2020-5902_RCE
• https://github.com/TheCyberViking/CVE-2020-5902-Vuln-Checker
• https://github.com/theLSA/f5-bigip-rce-cve-2020-5902
• https://github.com/tom0li/CVE-2020-5902
• https://github.com/tututu12138/CVE-2020-5902
• https://github.com/Un4gi/CVE-2020-5902
• https://github.com/wdlid/CVE-2020-5902-fix
• https://github.com/yasserjanah/CVE-2020-5902
• https://github.com/yassineaboukir/CVE-2020-5902
• https://github.com/zhzyker/CVE-2020-5902
• https://github.com/zhzyker/exphub
• https://github.com/Zinkuth/F5-BIG-IP-CVE-2020-5902
• https://raw.githubusercontent.com/1N3/Sn1per/master/templates/active/CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_1.sh
• https://raw.githubusercontent.com/1N3/Sn1per/master/templates/active/CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_2.sh
• https://raw.githubusercontent.com/1N3/Sn1per/master/templates/active/CVE-2020-5902_-_F5_BIG-IP_XSS.sh
• https://raw.githubusercontent.com/jaeles-project/jaeles-signatures/master/cves/f5-bigip-rce-cve-2020-5902.yaml
• https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/CVE-2020-5902.yaml
• https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/f5_bigip_tmui_rce.rb
• https://www.exploit-db.com/exploits/48642
• https://www.exploit-db.com/exploits/48711

- avd.aliyun.com