⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION

We have not been able to test, simulate or build datasets for it, use at your own risk!

Try in Splunk Security Cloud

Description

This search detects remote code exploit attempts on F5 BIG-IP, BIG-IQ, and Traffix SDC devices

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-08-02
  • Author: Shannon Davis, Splunk
  • ID: 810e4dbc-d46e-11ea-87d0-0242ac130003

ATT&CK

ID Technique Tactic
T1190 Exploit Public-Facing Application Initial Access
`f5_bigip_rogue` 
| regex _raw="(hsqldb;
|.*\\.\\.;.*)" 
| search `detect_f5_tmui_rce_cve_2020_5902_filter`

Associated Analytic Story

How To Implement

To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;).

Required field

  • _time

Kill Chain Phase

  • Exploitation

Known False Positives

unknown

CVE

ID Summary CVSS
CVE-2020-5902 In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. 10.0

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1