WARNING THIS IS A EXPERIMENTAL object

We have not been able to test, simulate, or build datasets for this object. Use at your own risk. This analytic is NOT supported.

Try in Splunk Security Cloud

Description

This search detects remote code exploit attempts on F5 BIG-IP, BIG-IQ, and Traffix SDC devices

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2020-08-02
  • Author: Shannon Davis, Splunk
  • ID: 810e4dbc-d46e-11ea-87d0-0242ac130003

Annotations

ATT&CK
ID Technique Tactic
T1190 Exploit Public-Facing Application Initial Access
Kill Chain Phase
  • Exploitation
NIST
  • DE.CM
CIS20
  • CIS 8
  • CIS 11
CVE
ID Summary CVSS
CVE-2020-5902 In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. 10.0
1
2
3
4
`f5_bigip_rogue` 
| regex _raw="(hsqldb;
|.*\\.\\.;.*)" 
| search `detect_f5_tmui_rce_cve_2020_5902_filter`

Macros

The SPL above uses the following Macros:

Note that detect_f5_tmui_rce_cve-2020-5902_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

  • _time

How To Implement

To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;).

Known False Positives

unknown

Associated Analytic story

RBA

Risk Score Impact Confidence Message
25.0 50 50 tbd

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1