July 27, 2020 by Ben Reardon
Having a CVE 10 unauthenticated Remote Code Execution vulnerability on a central load balancing device? That’s bad…
Not being able to detect when a threat actor attempts and/or succeeds in compromising that device? That’s definitely bad…
Recently the US Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploits of a CVE 10.0 unauthenticated Remote Command Execution against F5’s Big-IP load balancing devices. NCC Group has also reported seeing active exploits in the wild, which installed all manner of payloads including cryptominers.
To help, we’ve just open sourced a Zeek package that detects exploit attempts and successes along with bundling up the salient information related to an attempted attack into a notice for your IR team: https://github.com/corelight/CVE-2020-5902-F5BigIP
This package demonstrates a couple of aspects that are worth highlighting.
There are exploit tools for this vulnerability that are actively circling publicly, including a Metasploit module. If you have these devices on your network, hopefully by now you have read the F5 advisory and have patched your systems. Even if you have, you might still be interested to know when an exploit attempt is made. This Zeek package will provide you this information.
In addition to this package, you may also be interested in this SIGMA rule, and a Suricata rule is also provided in the CISA alert.
Lastly, I feel sure I’ll get a question about HTTP vs HTTPS and its impacts on this package. Even if you are not breaking/inspecting HTTPS traffic, we have seen scans for this exploit occur on HTTP, so there is still value for you here. Don’t assume that attackers will always use HTTPS. This is much a larger topic, but the nub of it is that there are other tricks in our bag to help with encrypted channels, and valuable detections aren’t made impossible just because traffic is encrypted.
We welcome feedback on how you use the package, and suggestions for improvement, so please reach out if you have any feedback.
#RCE #CVE-2020-5902 #CVE10 #Big-IP #Zeek