Automating Mitigation of the F5 BIG-IP TMUI RCE Security Vulnerability Using Ansible Tower (CVE-2020-5902)

July 15, 2020 by Mark Lowcher

On June 30, 2020, a security vulnerability affecting multiple BIG-IP platforms from F5 Networks was made public with a CVSS score of 10 (Critical). Due to the significance of the vulnerability, network administrators are advised to mitigate this issue in a timely manner. Doing so manually is tricky, especially if many devices are involved. Because F5 BIG-IP and BIG-IQ are certified with the Red Hat Ansible Automation Platform, we can use it to tackle the issue.

This post provides one way of temporarily mitigating CVE-2020-5902 via Ansible Tower without upgrading the BIG-IP platform. However, larger customers like service providers might struggle to upgrade on a short notice, as they may have to go through a lengthy internal validation process. For those situations, an automated mitigation may be a reasonable workaround until such time to perform an upgrade.

 

Background of the vulnerability

The vulnerability is described in K52145254 of the F5 Networks support knowledgebase

The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

And describes the impact is serious:

This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration utility, through the BIG-IP management port and/or self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.

The mitigation can be performed on command line via the F5 traffic management shell (TMSH) or remotely via the F5 iControl REST interface.

 

Mitigation using Ansible

Ansible can help in automating a temporary workaround across multiple BIG-IP devices. As an example a playbook is included below which, when executed from within Ansible Tower, has been shown to successfully mitigate this security vulnerability. The following factors need to be considered:

  • The provided Ansible Playbook requires editing a file using F5’s traffic management shell (TMSH).
  • Editing of this file through bash does not persist after a reboot, furthermore doing so is not supported by F5 because it should be edited via TMSH.
  • For those customers that have existing running instances of F5 BIG-IP or need to automate the creation or deletion of F5 instances, running the Ansible Playbook is still required.
  • Running this playbook does persist after a BIG-IP reboot.
  • An upgrade to software versions that do not have the permanent fix will also need to be mitigated. Therefore, the playbook should be run again after this situation.
  • The provided playbook was written specifically for Ansible Tower and serves as an example of how the mitigation can be carried out. The playbook is provided as-is and is only provided for guidance. Customers are advised to write their own playbooks to mitigate the issue. Red Hat makes no claim of official support for this playbook.

Playbook Details

In order to successfully run the referenced playbook, you'll need to provide login credentials to the F5 BIG-IP instances. For example, the variables that define the server, userid, and password fields needs to be set by an authorized administrative user on the F5 BIG-IP with this information. 

The tasks in the playbook connect to TCP port 8443 of the management IP address of the F5 BIG-IP. If you are patching an on-premises F5 instance connecting to TCP, port 443 is required instead.

Although there are two methods for restarting the HTTP daemon, due to a current known issue, please use the TMSH method. Therefore, you’ll notice that we do not use the bigip_command module.

The referenced playbook contains three tasks which each provide the following:

  • The first task “Editing HTTPD” makes the changes necessary to mitigate the vulnerability. 
  • The second task “Saving HTTPD change” saves the change to disk.
  • The third play “Restarting HTTPD daemon with tmsh” restarts the service to make the configuration active.

Please Note:

---
- name: Mitigate CVE-2020-5902
  hosts: all
  connection: local
  gather_facts: false

  tasks:
    - name: Editing HTTPD
      raw: curl -ku "{{ansible_user}}":"{{ansible_ssh_pass}}" -k https://"{{ansible_host}}":8443/mgmt/tm/sys/httpd -H content-type:application/json -X PATCH -d '{"include":"\n <LocationMatch \\\";\\\">\n Redirect 404 /\n </LocationMatch>\n <LocationMatch \\\"hsqldb\\\">\n Redirect 404 /\n </LocationMatch>\n "}'
  
    - name: Saving HTTPD change
      bigip_command:
        commands: save sys config
        provider:
          server: "{{ansible_host}}"
          user: "{{ansible_user}}"
          password: "{{ansible_ssh_pass}}"
          server_port: 8443 # port 8443 for public cloud, port 443 for on-prem
          validate_certs: false

    - name: Restarting HTTPD daemon with tmsh      
      raw: curl -u "{{ansible_user}}":"{{ansible_ssh_pass}}" -k https://"{{ansible_host}}":8443/mgmt/tm/util/bash  -H "Content-type:application/json" -d "{\"command\":\"run\", \"utilCmdArgs\":\"-c 'killall -9 httpd;tmsh restart /sys service httpd'\"}"
      ignore_errors: True
      register: httpd_restart
      failed_when: "httpd_restart.rc != 52"

See the full version of the playbook, including comments and more in-depth details, here.

 

Validating that the Playbook Succeeded

 A mitigation that has not been verified should be treated as no mitigation. Thus let’s check that we have been successful:

  1. From the command line of the F5 BIG-IP, issue the following command:  tmsh edit sys httpd all-properties 
  2. Verify the section after include contains the following: 
include "
<LocationMatch \";\">
Redirect 404 /
</LocationMatch>
<LocationMatch \"hsqldb\">
Redirect 404 /
</LocationMatch>
"

If this is the case, the mitigation was successful. Close this file (without saving any edits) with a :q! command.

Download the F5 BIG-IP Ansible Content Collection

The provided playbook is written with the assumption that the Ansible Tower 3.7 installation is utilizing the included Ansible Engine 2.9. Therefore, the F5 Ansible modules are already included as part of the installation. 

If you are a community developer using the open source Ansible distribution, refer to the latest modules available for F5 BIG-IP and BIG-IQ from the f5networks.f5_modules Ansible Content Collection available on Automation Hub (fully supported, requires a Red Hat Ansible Automation Platform subscription) or Ansible Galaxy (upstream community supported):

For more information on how to use and install Ansible Content Collections, check out our blog post Hands on with Ansible collections by Ajay Chenampara.

Finally, the F5 Ansible Content Collection also includes modules to patch and/or upgrade the BIG-IP directly such as bigip_software_image, bigip_software_install, bigip_config and more.

Takeaways and where to go next

Remediating vulnerabilities in network devices is crucial, and in this blog we showed how Ansible can help with that given the current example of the F5 BIG-IP TMUI RCE Security Vulnerability, CVE-2020-5902. 

If you want to know more about the Red Hat Ansible Automation Platform:

Share:

Topics:
Security Automation


 

Mark Lowcher

Mark Lowcher is a Red Hat Solution Architect Specialist for Ansible Automation Platform where he brings over 20 years in the Software and Hardware Computer industry from companies like F5 Networks and Network General. Mark Lowcher is skilled in Network Automation, Application Security and Application Delivery.


rss-icon  RSS Feed

RH-ansible-automation-platform_trial-banner
AnsibleFest-2020-banner-A