Fix now: High risk vulnerabilities at large, July 2020 part 2

F5 BIG-IP vulnerabilities

Let’s look at the breaking vulnerabilities of the last two weeks:

5902 is a directory traversal in the Traffic Management User Interface (TMUI) which grants unauthenticated attackers the privilege to upload and execute scripts (as root). An attack requires that F5's BIG-IP control plane is exposed to the Internet, and it’s especially dangerous for companies whose F5 BIG-IP web interface is listed on search engine such as Shodan.

Unsurprisingly, we see the 2020-5902 virus with a whopping 38.46 Farsight risk rating and what might be more surprising is the fact it wasn’t 38.46 upon release!

As at the point of announcement (1st July), the likelihood was 10.13 – definitely “one to watch” but not perhaps in the highest of priority remediation buckets. By the 4th July, the likelihood had actually decreased to 2.72, which despite at the time all of the Proof of Concept exploits circulating was not having a huge impact on the overall potential risk for the vulnerability, it then hovered around a 5.00 likelihood score for the best part of last week until the first mass exploiter was launched on the 11th July when the value jumped straight up to 38.46. For any vulnerability that gets a lot of press attention it’s always worth watching more closely. In this instance given it had trended above one since its launch, coupled with the quick launch of PoC exploits it was a good early sign it would jump to the top of the list. As always, the patch information is here. It’s worth noting, if you applied any of the mitigation posted by F5 prior to the 8th July, these have since been updated and you should review the changes and apply where appropriate.

In contrast 2020-5903, a Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility and has seemingly lost the interest of the threat actor community, with no identified Proof of concept exploit available in the wild.

Patching 5902 will also result in patching 5903.

Pan-OS vulnerability

Released on June 29th by Palo Alto Networks, this vulnerability, an authentication bypass vulnerability in the Security Assertion Markup Language (SAML) authentication in Pan-OS, garnered some early interest but was soon overtaken by CVE-2020-5902. Another CVSSv3 10.00 rated vulnerability, this one has held steady at 12.28 since the 4th July with little happening in terms of general security expert interest since. With no PoC or exploits for this vulnerability the longer-term expectation is the likelihood will decrease over time.

For those of you concerned or want to know more about the vulnerability and the affected versions of Pan-OS you can learn more here. And a note for those still running Pan-OS 8.0 this is now end of life and you should plan an upgrade as soon as you are able.

Microsoft Windows Codecs Library

Let’s see what else is happening in the world of vulnerabilities...

At the time of writing we are eagerly awaiting Microsoft patch Tuesday (14th July) but interestingly two RCE vulnerabilities received an out of band patch from Microsoft.

1425 allows an attacker to obtain information to compromise the user system, and the exploitation of 1457 could let attackers execute arbitrary code on the targeted machine.

Interestingly, both vulnerabilities are listed as reserved and have no current CVSSv3 score, both have likelihood scores over 1.0, and represent nine (9) times more likely than the average vulnerability to be exploited, though community interest has waned on these vulnerabilities since their release. As always with Microsoft windows you should use the updates functionality of Windows 10 or your Administrator should schedule the updates.

Wrap up

This week’s CVE’s to find and fix has been dominated by CVE-2020-5902, and this shows we often forget our security devices when we consider our patching and remediation strategy. We strongly recommend our customers to include perimeter devices and other internal security devices in their regular scanning processes and ensure they can be scheduled for updates when the need arises.