CVE-2020-5902 vulnerability in F5 Networks Products
Published on July 1, 2020

In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

Vendor Advisory NVD

Known Exploited Vulnerability

This F5 BIG-IP Traffic Management User Interface Remote Code Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

The following remediation steps are recommended / required by May 3, 2022: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2020-5902 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2020-5902 has been classified to as a Directory traversal vulnerability or weakness.

Products Associated with CVE-2020-5902

You can be notified by stack.watch whenever vulnerabilities like CVE-2020-5902 are published in these products:

F5 Networks Big Ip Access Policy Manager

F5 Networks Big Ip Advanced Firewall Manager

F5 Networks Big Ip Analytics

F5 Networks Big Ip Application Acceleration Manager

F5 Networks Big Ip Application Security Manager

F5 Networks Big Ip Domain Name System

F5 Networks Big Ip Fraud Protection Service

F5 Networks Big Ip Global Traffic Manager

F5 Networks Big Ip Link Controller

F5 Networks Big Ip Local Traffic Manager

F5 Networks Big Ip Policy Enforcement Manager

F5 Networks Ssl Orchestrator

F5 Networks Big Ip Advanced Web Application Firewall

F5 Networks Big Ip Ddos Hybrid Defender

What versions are vulnerable to CVE-2020-5902?

F5 Networks Big Ip Access Policy Manager Version 11.6.1 Fixed in Version 11.6.5.2
F5 Networks Big Ip Access Policy Manager Version 12.1.0 Fixed in Version 12.1.5.2
F5 Networks Big Ip Access Policy Manager Version 13.1.0 Fixed in Version 13.1.3.4
F5 Networks Big Ip Access Policy Manager Version 14.1.0 Fixed in Version 14.1.2.6
F5 Networks Big Ip Access Policy Manager Version 15.0.0 through 15.0.1.4
F5 Networks Big Ip Access Policy Manager Version 15.1.0 Fixed in Version 15.1.0.4
F5 Networks Big Ip Advanced Firewall Manager Version 11.6.1 Fixed in Version 11.6.5.2
F5 Networks Big Ip Advanced Firewall Manager Version 12.1.0 Fixed in Version 12.1.5.2
F5 Networks Big Ip Advanced Firewall Manager Version 13.1.0 Fixed in Version 13.1.3.4
F5 Networks Big Ip Advanced Firewall Manager Version 14.1.0 Fixed in Version 14.1.2.6
F5 Networks Big Ip Advanced Firewall Manager Version 15.0.0 Fixed in Version 15.0.1.4
F5 Networks Big Ip Advanced Firewall Manager Version 15.1.0 Fixed in Version 15.1.0.4
F5 Networks Big Ip Advanced Web Application Firewall Version 11.6.1 Fixed in Version 11.6.5.2
F5 Networks Big Ip Advanced Web Application Firewall Version 12.1.0 Fixed in Version 12.1.5.2
F5 Networks Big Ip Advanced Web Application Firewall Version 13.1.0 Fixed in Version 13.1.3.4
F5 Networks Big Ip Advanced Web Application Firewall Version 14.1.0 Fixed in Version 14.1.2.6
F5 Networks Big Ip Advanced Web Application Firewall Version 15.0.0 Fixed in Version 15.0.1.4
F5 Networks Big Ip Advanced Web Application Firewall Version 15.1.0 Fixed in Version 15.1.0.4
F5 Networks Big Ip Analytics Version 11.6.1 Fixed in Version 11.6.5.2
F5 Networks Big Ip Analytics Version 12.1.0 Fixed in Version 12.1.5.2
F5 Networks Big Ip Analytics Version 13.1.0 Fixed in Version 13.1.3.4
F5 Networks Big Ip Analytics Version 14.1.0 Fixed in Version 14.1.2.6
F5 Networks Big Ip Analytics Version 15.0.0 Fixed in Version 15.0.1.4
F5 Networks Big Ip Analytics Version 15.1.0 Fixed in Version 15.1.0.4
F5 Networks Big Ip Application Acceleration Manager Version 11.6.1 Fixed in Version 11.6.5.2
F5 Networks Big Ip Application Acceleration Manager Version 12.1.0 Fixed in Version 12.1.5.2
F5 Networks Big Ip Application Acceleration Manager Version 13.1.0 Fixed in Version 13.1.3.4
F5 Networks Big Ip Application Acceleration Manager Version 14.1.0 Fixed in Version 14.1.2.6
F5 Networks Big Ip Application Acceleration Manager Version 15.0.0 Fixed in Version 15.0.1.4
F5 Networks Big Ip Application Acceleration Manager Version 15.1.0 Fixed in Version 15.1.0.4
F5 Networks Big Ip Application Security Manager Version 11.6.1 Fixed in Version 11.6.5.2
F5 Networks Big Ip Application Security Manager Version 12.1.0 Fixed in Version 12.1.5.2
F5 Networks Big Ip Application Security Manager Version 13.1.0 Fixed in Version 13.1.3.4
F5 Networks Big Ip Application Security Manager Version 14.1.0 Fixed in Version 14.1.2.6
F5 Networks Big Ip Application Security Manager Version 15.0.0 Fixed in Version 15.0.1.4
F5 Networks Big Ip Application Security Manager Version 15.1.0 Fixed in Version 15.1.0.4
F5 Networks Big Ip Ddos Hybrid Defender Version 11.6.1 Fixed in Version 11.6.5.2
F5 Networks Big Ip Ddos Hybrid Defender Version 12.1.0 Fixed in Version 12.1.5.2
F5 Networks Big Ip Ddos Hybrid Defender Version 13.1.0 Fixed in Version 13.1.3.4
F5 Networks Big Ip Ddos Hybrid Defender Version 14.1.0 Fixed in Version 14.1.2.6
F5 Networks Big Ip Ddos Hybrid Defender Version 15.0.0 Fixed in Version 15.0.1.4
F5 Networks Big Ip Ddos Hybrid Defender Version 15.1.0 Fixed in Version 15.1.0.4
F5 Networks Big Ip Domain Name System Version 11.6.1 Fixed in Version 11.6.5.2
F5 Networks Big Ip Domain Name System Version 12.1.0 Fixed in Version 12.1.5.2
F5 Networks Big Ip Domain Name System Version 13.1.0 Fixed in Version 13.1.3.4
F5 Networks Big Ip Domain Name System Version 14.1.0 Fixed in Version 14.1.2.6
F5 Networks Big Ip Domain Name System Version 15.0.0 Fixed in Version 15.0.1.4
F5 Networks Big Ip Domain Name System Version 15.1.0 Fixed in Version 15.1.0.4
F5 Networks Big Ip Fraud Protection Service Version 11.6.1 Fixed in Version 11.6.5.2
F5 Networks Big Ip Fraud Protection Service Version 12.1.0 Fixed in Version 12.1.5.2
F5 Networks Big Ip Fraud Protection Service Version 13.1.0 Fixed in Version 13.1.3.4
F5 Networks Big Ip Fraud Protection Service Version 14.1.0 Fixed in Version 14.1.2.6
F5 Networks Big Ip Fraud Protection Service Version 15.0.0 Fixed in Version 15.0.1.4
F5 Networks Big Ip Fraud Protection Service Version 15.1.0 Fixed in Version 15.1.0.4
F5 Networks Big Ip Global Traffic Manager Version 11.6.1 Fixed in Version 11.6.5.2
F5 Networks Big Ip Global Traffic Manager Version 12.1.0 Fixed in Version 12.1.5.2
F5 Networks Big Ip Global Traffic Manager Version 13.1.0 Fixed in Version 13.1.3.4
F5 Networks Big Ip Global Traffic Manager Version 14.1.0 Fixed in Version 14.1.2.6
F5 Networks Big Ip Global Traffic Manager Version 15.0.0 Fixed in Version 15.0.1.4
F5 Networks Big Ip Global Traffic Manager Version 15.1.0 Fixed in Version 15.1.0.4
F5 Networks Big Ip Link Controller Version 11.6.1 Fixed in Version 11.6.5.2
F5 Networks Big Ip Link Controller Version 12.1.0 Fixed in Version 12.1.5.2
F5 Networks Big Ip Link Controller Version 13.1.0 Fixed in Version 13.1.3.4
F5 Networks Big Ip Link Controller Version 14.1.0 Fixed in Version 14.1.2.6
F5 Networks Big Ip Link Controller Version 15.0.0 Fixed in Version 15.0.1.4
F5 Networks Big Ip Link Controller Version 15.1.0 Fixed in Version 15.1.0.4
F5 Networks Big Ip Local Traffic Manager Version 11.6.1 Fixed in Version 11.6.5.2
F5 Networks Big Ip Local Traffic Manager Version 12.1.0 Fixed in Version 12.1.5.2
F5 Networks Big Ip Local Traffic Manager Version 13.1.0 Fixed in Version 13.1.3.4
F5 Networks Big Ip Local Traffic Manager Version 14.1.0 Fixed in Version 14.1.2.6
F5 Networks Big Ip Local Traffic Manager Version 15.0.0 Fixed in Version 15.0.1.4
F5 Networks Big Ip Local Traffic Manager Version 15.1.0 Fixed in Version 15.1.0.4
F5 Networks Big Ip Policy Enforcement Manager Version 11.6.1 Fixed in Version 11.6.5.2
F5 Networks Big Ip Policy Enforcement Manager Version 12.1.0 Fixed in Version 12.1.5.2
F5 Networks Big Ip Policy Enforcement Manager Version 13.1.0 Fixed in Version 13.1.3.4
F5 Networks Big Ip Policy Enforcement Manager Version 14.1.0 Fixed in Version 14.1.2.6
F5 Networks Big Ip Policy Enforcement Manager Version 15.0.0 Fixed in Version 15.0.1.4
F5 Networks Big Ip Policy Enforcement Manager Version 15.1.0 Fixed in Version 15.1.0.4
F5 Networks Ssl Orchestrator Version 11.6.1 Fixed in Version 11.6.5.2
F5 Networks Ssl Orchestrator Version 12.1.0 Fixed in Version 12.1.5.2
F5 Networks Ssl Orchestrator Version 13.1.0 Fixed in Version 13.1.3.4
F5 Networks Ssl Orchestrator Version 14.1.0 Fixed in Version 14.1.2.6
F5 Networks Ssl Orchestrator Version 15.0.0 Fixed in Version 15.0.1.4
F5 Networks Ssl Orchestrator Version 15.1.0 Fixed in Version 15.1.0.4