CVE-2020-5902: Helping to protect against the F5 TMUI RCE vulnerability

On July 7, 2020, Cloudflare deployed a managed rule to protect its customers against a remote code execution vulnerability found in F5 BIG-IP's web-based Traffic Management User Interface (TMUI). The new rule automatically blocks any attempt to exploit the vulnerability. Initial testing showed that attackers began probing and attempting to exploit this vulnerability starting on July 3. F5 has provided detailed instructions for patching affected devices, detecting attempts to exploit the vulnerability, and adding custom mitigation. The most common probe URLs have been identified, all containing a critical pattern at their core. On July 3, there were approximately 1k probes, which increased to around 1m on July 6. Remote Code Execution (RCE) is a type of code injection that allows attackers to run arbitrary code on the target application, potentially leading to full system takeover. The vulnerability affects only the administration interface and not the underlying data plane provided by the application. To mitigate this issue, blocking all requests matching a specific regular expression in the URL can be effective. Cloudflare WAF users with their F5 BIG-IP TMUI interface proxied behind Cloudflare are automatically protected from this vulnerability using rule 100315.