F5 Big-IP Local File Inclusion (CVE-2020-5902)

Summary#

Invicti identified a Local File Inclusion vulnerability in Big-IP, which occurs when a file from the target system is injected into the attacked server page.

Invicti confirmed this issue by reading some files from the target web server.

Impact#

The impact can vary, based on the exploitation and the read permission of the web server user. Depending on these factors, an attacker might carry out one or more of the following attacks:

Gather usernames via an "/etc/passwd" file
Harvest useful information from the config file, such as "/config/bigip.conf"
Remotely execute commands by combining this vulnerability with some other attack vectors, such as file upload vulnerability or log injection

Exploit of the vulnerability is known widely and should be addressed as soon as possible.

Actions To Take#

It is recommended that you upgrade to a fixed software version to fully mitigate this vulnerability.

If it is not possible to upgrade at this time, you can use the following sections as temporary mitigations:

All TMUI interfaces: addresses unauthenticated attackers on all interfaces
Self IPs: addresses unauthenticated and authenticated attackers on self-IPs, by blocking all access
Management interface: addresses unauthenticated attackers on the management interface, by restricting access

Remediation#

Upgrade to a fixed software version, by following the table in the External References Section.
If it is not possible to upgrade at this time:

Log in to the TMOS Shell (tmsh) by entering the following command: tmsh
Edit the httpd properties by entering the following command
edit/sys httpd all-properties
Locate the line that starts with include none and replace it with the following:

include ' <LocationMatch ";"> Redirect 404 / </LocationMatch> '
Write and save the changes to the configuration file by entering the following vi commands:
Esc :wq!
When further prompted to Save Changes (y/n/e), enter y.
Save the configuration by entering the following tmsh command:
save /sys config
To activate the mitigation, restart the httpd service by entering the following command:
restart sys service httpd
To exit tmsh, enter the following command:
quit
Ensure that the workaround is inserted in the configuration by comparing the output of the following command to the configured LocationMatch fragment that you inserted in step 3. To do so, enter the following command:
grep -C1 'Redirect 404' /etc/httpd/conf/httpd.conf

The output should match the following:
<LocationMatch ";"> Redirect 404 / </LocationMatch>

If you have high availability (HA) configuration, you may now perform a ConfigSync operation as documented in K14856: Performing a ConfigSync using tmsh.

Classifications#

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, CAPEC-252, WASC-33, OWASP 2013-A4, CWE-22, ISO27001-A.14.2.5, PCI v3.2-6.5.8, OWASP 2017-A5, HIPAA-164.306(a)