F5 has fixed a vulnerability in the configuration interface of the popular BIG-IP application delivery controller. The bug, discovered by Positive Technologies expert Nikita Abramov, affected a product that is used by some of the world's leading companies, and would allow remote hackers to cause denial of service attacks to the controller.
Vulnerability CVE-2020-27716 received a CVSS score of 7.5, reflecting a high degree of danger.
Nikita Abramov researcher at Positive Technologies explains: “Vulnerabilities like this one are quite commonly found in code. They can occur for different reasons, for example unconsciously neglected by developers or due to insufficient additional checks being carried out. I discovered this vulnerability during binary analysis. Flaws like this one can be detected using non-standard requests and by analyzing logic and logical inconsistencies. This attack did not require any tools: an attacker could just send a simple HTTP request to the server where the BIG-IP configuration utility is located, and that would be enough to block access to the controller for a while (until it automatically restarts).”
In July 2020, F5 fixed vulnerability CVE-2020-5902, which was discovered by Mikhail Klyuchnikov. That vulnerability received a CVSS score of 10, indicating the highest degree of danger. Using this error, an attacker could potentially execute commands impersonating an unauthorized user, which would then completely compromise the system. For example, an attacker could utilize this to intercept the traffic of web resources managed by the controller.
In order to fix the DoS vulnerability, it’s critical to update the BIG-IP system to the latest version.
Detailed recommendations are given in the F5 BIG-IP security notification.
About Positive Technologies
For 18 years, Positive Technologies has been creating innovative solutions for information security. We develop products and services to detect, verify, and neutralize the real-world business risks associated with corporate IT infrastructure. Our technologies are backed by years of research experience and the expertise of world-class cybersecurity experts. Over 2,000 companies in 30 countries trust us to keep them safe.
Follow us on social media (LinkedIn, Twitter) and the News section at ptsecurity.com.