Name:Detect F5 TMUI RCE CVE-2020-5902 id:810e4dbc-d46e-11ea-87d0-0242ac130003 version:4 date:2024-10-17 author:Shannon Davis, Splunk status:experimental type:TTP Description:The following analytic identifies remote code execution (RCE) attempts targeting F5 BIG-IP, BIG-IQ, and Traffix SDC devices, specifically exploiting CVE-2020-5902. It uses regex to detect patterns in syslog data that match known exploit strings such as "hsqldb;" and directory traversal sequences. This activity is significant because successful exploitation can allow attackers to execute arbitrary commands on the affected devices, leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, or further lateral movement within the network. Data_source:
how_to_implement:To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;). known_false_positives:unknown References: -https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/ -https://support.f5.com/csp/article/K52145254 drilldown_searches:
: tags: analytic_story: - 'F5 TMUI RCE CVE-2020-5902' asset_type:Network confidence:50 cve: - 'CVE-2020-5902' impact:50 message:tbd mitre_attack_id: - 'T1190' observable: name:'dest' type:'IP Address' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' risk_score:25 security_domain:network
