Corelight releases open-source detection tool called Zeek for CVE-2020-5902 vulnerability affecting F5 Networks including BIG-IP devices
Last week, the U.S. Cybersecurity and Infrastructure Security Agency issued a warning that hackers and cybercriminals are actively exploiting the CVE-2020-5902 remote code execution vulnerability in F5’s BIG-IP network products. The CVE-2020-5902 vulnerability is highly critical and scores a perfect 10/10 on CVSS. It allows potential hackers to exfiltrate data, access networks, carry out commands, create or delete files, and disable services.
Now, security research and tech firm, Corelight has open-sourced a tool that would help companies and sysadmins in detecting whether their F5’s BIG-IP network products are vulnerable to the CVE-2020-5902 vulnerability. The tool is called Zeek and has been developed by Lawrence Berkeley National Laboratory and helps in detecting exploitation attempts related to a critical vulnerability in Big-IP model load balancers, developed by F5 Networks.
Zeek is open-source network security monitoring software and is available on this GitHub repository. Sysadmins can use Zeek with any Security Information Event Management (SIEM) system according to Corelight.
The CVE-2020-5902 flaw resides in the Traffic Management User Interface (TMUC) configuration utility in the F5 BIG-IP network products and could be exploited with a simple line of publicly available code. Security researchers as well the U.S. CISA has detected multiple campaigns by hackers and cybercriminals to exploit this flaw in the BIG-IP networks. The cybercriminals have used the vulnerability to create a Metasploit module and to install Monero cryptocurrency mining malware. The vulnerability can also be used for shell command execution and other attack variants.
Zeek tool will scan your network and tell you if any cybercriminal/hacker tried to exploit the CVE-2020-5902 flaw or when the attempt was made.
Corelight security researcher, Ben Reardon does have some advice for the HTTP vs HTTPS debate, “Lastly, I feel sure I’ll get a question about HTTP vs HTTPS and its impacts on this package. Even if you are not breaking/inspecting HTTPS traffic, we have seen scans for this exploit occur on HTTP, so there is still value for you here. Don’t assume that attackers will always use HTTPS.”