Security News > 2020 > July > F5 emits fixes for critical flaws in BIG-IP gear: Hopefully yours aren't internet-facing while you ready a patch
Network administrators are urged to patch their F5 BIG-IP application delivery controllers following the disclosure of a pair of critical remote takeover bugs.
The flaws in question, CVE-2020-5902 and CVE-2020-5903, lie within in a configuration tool known as the Traffic Management User Interface.
"The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network," said Mikhail Klyuchnikov of Positive Technologies who discovered and reported the vulnerabilities to F5. "RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation."
These flaws are particularly bad because the vulnerable BIG-IP gear is generally used by large enterprises to handle traffic to and from critical applications.
The flaws are present in BIG-IP versions 11 through 15, and the updated versions, released this week, are 15.1.0.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, and 11.6.5.2.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/07/03/f5_critical_flaws_big_ip/
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-07-01 | CVE-2020-5902 | Path Traversal vulnerability in F5 products In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. | 9.8 |
2020-07-01 | CVE-2020-5903 | Cross-site Scripting vulnerability in F5 products In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, a Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. | 6.1 |