Skip to content
Loading...

BIG-IP Vulnerability Scanner (CVE-2020-5902)

Discover vulnerable F5 BIG-IP devices, affected by Remote Code Execution in the TMUI component.

Sample Report | Use Cases | Technical Details

Need to see the full results?

Unlock the full power and feature of our BIG-IP Vulnerability Scanner (CVE-2020-5902)! Compare pricing plans and discover more tools and features.

Sample Report

Here is a BIG-IP Vulnerability Scanner (CVE-2020-5902) sample report:

  • Contains evidence for the identified vulnerability (extracted file)
  • Includes exploit information and risk details
  • Provides recommendations for fixing the issue

Download Sample Report

Sample report

BIG-IP Vulnerability Scanner (CVE-2020-5902) - Use Cases

The scanner detects if the target host is vulnerable to the F5 BIG-IP RCE vulnerability - CVE-2020-5902. This affects multiple F5 products which use the Traffic Management User Interface component (TMUI).

Technical Details


About

The vulnerability was discovered by researcher Mikhail Klyuchnikov of Positive Technologies in June 2020 and allows an unauthenticated attacker to execute remote commands as root on the vulnerable F5 BIG-IP device.

The vulnerability is present in the TMUI (Traffic Management User Interface) component, which is a configuration utility that allows authenticated users to manage their BIG-IP product and adjust its settings.

At its core, CVE-2020-5902 is a path traversal vulnerability which can be easily escalated to remote code execution. By using a path traversal sequence like /..;, it is possible to call internal functionality (TMUI modules) of the application without authentication.

Some interesting actions that can be performed by exploiting this vulnerability are:

Operation Attack vector
Read arbitrary files https://HOST/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
List files from directory https://HOST/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/tmp/
Create file with custom content https://HOST/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/test&content=test
Execute predefined system commands https://HOST/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user

To better understand how CVE-2020-5902 is exploited, please see a video demo of the F5 BIG-IP RCE exploit on our blog, including more technical details.


Parameters

Parameter Description
Target host This can be a single IP or a hostname.
Target port This is the HTTP port of the TMUI component on the BIG-IP device. Default: 443/HTTPS.


How it works

The tool attempts to discover the vulnerability by trying to read the /etc/passwd file using the fileRead module of the Traffic Management User Interface and employing a path traversal technique.