Hackers actively use two non-contiguous, high-severity vulnerabilities that allow unauthenticated access or even full takeover of networks operated by Fortune 500 companies and government organizations.
The most serious exploits target a critical vulnerability in F5's Big-IP Advanced Delivery Controller, a device typically placed between a perimeter firewall and a web application to perform load balancing and other tasks. The vulnerability that F5 fixed three weeks ago allows unauthenticated attackers to remotely execute commands or code of their choice. Attackers can then use their control to hijack the device's internal network to which it is connected.
The presence of a remote code execution error in a device in such a sensitive part of a network gave the vulnerability a maximum severity of 10. Immediately after F5 released a patch on June 30, security practitioners predicted that the bug would be traced as CVE-2020-5902 – would be used against all vulnerable networks that did not install the update quickly. On Friday, the U.S. Cyber Security and Infrastructure Security Agency (CISA) issued a notice that these warnings were predictive.
"CISA has committed incidents at the US government and commercial companies in which malicious cyber threat actors have exploited CVE-2020-5902 – an RCE vulnerability in the BIG-IP traffic management user interface (TMUI) – to control to take over the victim systems. " the report stated.
Within a few days of the F5 patch being released for this vulnerability, CISA has observed scanning and reconnaissance, as well as confirmed compromises. Already on July 6, 2020, CISA performed extensive scanning for the presence of this vulnerability in all federal departments and agencies. These activities are currently taking place at the time this warning is published.
CISA has worked with several companies in multiple sectors to investigate possible compromises related to this vulnerability. CISA has confirmed two compromises and continues to investigate them. CISA updates this alert with additional actionable information.
Et tu, Cisco?
Attackers are exploiting a second vulnerability in two network products sold by Cisco. The path violation error tracked as CVE-2020-3452 resides in the company's Adaptive Security Appliance and Firepower Threat Defense systems. It enables unauthenticated people to view confidential files remotely, which can reveal WebVPN configurations, bookmarks, web cookies, some web content, and HTTP URLs, among other things. Cisco released a patch on Wednesday. A day later, it updated its recommendation.
"Cisco has become aware of the availability of public exploit code and active exploitation of the vulnerability described in this notice," the update said. "Cisco encourages customers with affected products to upgrade to a fixed version as soon as possible."
The proof-of-concept code was released by Cisco almost immediately after the fix was released, triggering a race between attackers and defenders.
The impact of these vulnerabilities, particularly those affecting F5 customers, is serious. These in-the-wild attacks are reason enough to fill the weekend with IT administrators who have not yet patched their vulnerable systems.