CVE-2020-5948
📋 TL;DR
This vulnerability is a reflected Cross-Site Scripting (XSS) attack in the iControl REST interface of F5 BIG-IP devices. It allows attackers to execute arbitrary JavaScript in the context of an admin user's session, potentially leading to full system compromise. Affected users are those running vulnerable BIG-IP versions with iControl REST enabled.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the BIG-IP system, allowing attacker to gain administrative control, steal credentials, modify configurations, and pivot to internal networks.
Likely Case
Session hijacking, credential theft, and unauthorized configuration changes leading to service disruption or data exfiltration.
If Mitigated
Limited to session hijacking if admin access is restricted, but still poses significant risk to system integrity.
🎯 Exploit Status
Reflected XSS typically requires social engineering to trick admin into clicking malicious link, but exploitation itself is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in 16.0.1, 15.1.1, 14.1.3, 13.1.4, 12.1.6, 11.6.6 and later
Vendor Advisory: https://support.f5.com/csp/article/K42696541
Restart Required: No
Instructions:
1. Download appropriate fixed version from F5 Downloads. 2. Backup current configuration. 3. Install update via GUI or CLI. 4. Verify installation and test functionality.
🔧 Temporary Workarounds
Restrict iControl REST Access
linuxLimit access to iControl REST endpoints to trusted IP addresses only
tmsh modify /sys httpd allow replace-all-with { trusted_ip1 trusted_ip2 }
Disable iControl REST
linuxTurn off iControl REST interface if not required
tmsh modify /sys httpd restjavad enable false
🧯 If You Can't Patch
- Implement strict network segmentation to isolate BIG-IP management interfaces
- Enforce strong authentication and session management controls
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version with 'tmsh show /sys version' and compare against affected versions listCheck Version:
tmsh show /sys versionVerify Fix Applied:
Verify version is 16.0.1+, 15.1.1+, 14.1.3+, 13.1.4+, 12.1.6+, or 11.6.6+📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests to iControl REST endpoints with script tags or JavaScript payloads
- Multiple failed login attempts followed by successful admin login
Network Indicators:
- HTTP requests containing malicious script payloads to /mgmt/tm/* endpoints
- Unexpected outbound connections from BIG-IP management interface
SIEM Query:
source="bigip_logs" AND (uri="/mgmt/tm/*" AND (body="<script>" OR body="javascript:"))