Framingham, MA (January 14, 2020) — F5 has fixed a vulnerability in the configuration interface of the popular BIG-IP application delivery controller. The bug, discovered by Positive Technologies expert Nikita Abramov, affected a product that is used by some of the world’s leading companies, and would allow remote hackers to cause denial of service attacks to the controller.
Vulnerability CVE-2020-27716 received a CVSS score of 7.5, reflecting a high degree of danger.
Nikita Abramov researcher at Positive Technologies explains: “Vulnerabilities like this one are quite commonly found in code. They can occur for different reasons, for example unconsciously neglected by developers or due to insufficient additional checks being carried out. I discovered this vulnerability during binary analysis. Flaws like this one can be detected using non-standard requests and by analyzing logic and logical inconsistencies. This attack did not require any tools: an attacker could just send a simple HTTP request to the server where the BIG-IP configuration utility is located, and that would be enough to block access to the controller for a while (until it automatically restarts).”
In July 2020, F5 fixed vulnerability CVE-2020-5902, which was discovered by Mikhail Klyuchnikov. That vulnerability received a CVSS score of 10, indicating the highest degree of danger. Using this error, an attacker could potentially execute commands impersonating an unauthorized user, which would then completely compromise the system. For example, an attacker could utilize this to intercept the traffic of web resources managed by the controller.
In order to fix the DoS vulnerability, it’s critical to update the BIG-IP system to the latest version.
Detailed recommendations are given in the F5 BIG-IP security notification.