f5_tmui_rce_cve_2020_5902.yml

name: F5 TMUI RCE CVE-2020-5902
id: 7678c968-d46e-11ea-87d0-0242ac130003
version: 1
date: '2020-08-02'
author: Shannon Davis, Splunk
description: Uncover activity consistent with CVE-2020-5902. Discovered by Positive
  Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix
  SDC devices (vulnerable versions in F5 support link below). This vulnerability allows
  unauthenticated users, along with authenticated users, who have access to the configuration
  utility to execute system commands, create/delete files, disable services, and/or
  execute Java code.  This vulnerability can result in full system compromise.
narrative: A client is able to perform a remote code execution on an exposed and vulnerable
  system. The detection search in this Analytic Story uses syslog to detect the malicious
  behavior. Syslog is going to be the best detection method, as any systems using
  SSL to protect their management console will make detection via wire data difficult.  The
  searches included used Splunk Connect For Syslog (https://splunkbase.splunk.com/app/4740/),
  and used a custom destination port to help define the data as F5 data (covered in
  https://splunk-connect-for-syslog.readthedocs.io/en/master/sources/F5/)
references:
- https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/
- https://support.f5.com/csp/article/K52145254
- https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/
tags:
  analytic_story: F5 TMUI RCE CVE-2020-5902
  category:
  - Adversary Tactics
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  usecase: Advanced Threat Detection