F5 Networks has issued a security advisory warning and recommends immediate patching of a dangerous vulnerability affecting F5 BIG-IP networking devices. The vulnerability, which can be tracked as CVE-2020-5902, has been rated “critical” and can allow unauthorized network access with potentially dire consequences.
The F5 security advisory states:
“This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration utility, through the BIG-IP management port and/or self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.”
According to Chris Krebs (Director of Cybersecurity and Infrastructure Security Agency) on Twitter: “If you didn’t patch by this morning, assume compromised. Keep patching and check logs.”
F5 recommends upgrading to a fixed software version to fully mitigate this vulnerability, and remediation information is available on the F5 website.
Comments