Request a Demo
Rewterz
Rewterz Threat Advisory – Cisco Small Business RV Series Routers Command Injection Vulnerabilities
August 4, 2020
Rewterz
Rewterz Threat Alert – Emotet IOCs
August 4, 2020

Rewterz Threat Advisory – F5 BIG-IP CVE-2020-5902 Weaponized by Mirai Botnet Exploit to Attack IoT Devices

Severity

High

Analysis Summary

This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through theBIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services,and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.

The security bug involves a remote code execution (RCE) vulnerability in the management interface of BIG-IP known as the Traffic Management User Interface (TMUI). It was noticed from the mitigation rule in Apache httpd that a possible way to exploit this vulnerability involves a HTTP GET request containing semicolon character in the URI. In a Linux command line, a semi-colon signals to the interpreter that a command line has finished, and it is a character the vulnerability needs to be triggered. To further analysis, the tested IoT botnet author can add a scanning capability to existing and/or new malware variants via this Yara rule

Impact

  • Remote code execution

Indicators of Compromise

SHA-256

  • acb930a41abdc4b055e2e3806aad85068be8d85e0e0610be35e784bfd7cf5b0e
  • 037859323285e0bbbc054f43b642c48f2826924149cb1c494cbbf1fc8707f942
  • 55c4675a84c1ee40e67209dfde25a5d1c1979454ec2120047026d94f64d57744
  • 03254e6240c35f7d787ca5175ffc36818185e62bdfc4d88d5b342451a747156d
  • 204cbad52dde24ab3df41c58021d8039910bf7ea07645e70780c2dbd66f7e90b
  • 3f8e65988b8e2909f0ea5605f655348efb87565566808c29d136001239b7dfa9
  • 15b2ee07246684f93b996b41578ff32332f4f2a60ef3626df9dc740405e45751
  • 0ca27c002e3f905dddf9083c9b2f8b3c0ba8fb0976c6a06180f623c6acc6d8ca
  • ecc1e3f8332de94d830ed97cd07867b90a405bc9cc1b8deccec51badb4a2707c
  • e71aca778ea1753973b23e6aa29d1445f93dc15e531c706b6165502d6cf0bfa4

URL

  • http[:]//hxxp[:]//78[.]142[.]18[.]20
  • http[:]//hxxp[:]//79[.]124[.]8[.]24/bins/

Remediation

  • Block all threat indicators at your respective controls.
  • Ensure that IoT devices’ firmware run on the latest versions.
  • Search for IOCs in your environment.