• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Logo
  • About
  • Bulletins
  • Corelight.com
  • Contact us

Bright Ideas Blog

Bright Ideas Blog

Bright Ideas Blog

Home ›› Corelight Labs ›› Zeek in its sweet spot: Detecting F5’s Big-IP CVE10 (CVE-2020-5902)

Zeek in its sweet spot: Detecting F5’s Big-IP CVE10 (CVE-2020-5902)

July 28, 2020 by Ben Reardon

By Ben Reardon, Corelight Security Researcher

Having a CVE 10 unauthenticated Remote Code Execution vulnerability on a central load balancing device? That’s bad…

Not being able to detect when a threat actor attempts and/or succeeds in compromising that device? That’s definitely bad…

Recently the US Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploits of a CVE 10.0 unauthenticated Remote Command Execution against F5’s Big-IP load balancing devices. NCC Group has also reported seeing active exploits in the wild, which installed all manner of payloads including cryptominers.

To help, we’ve just open sourced a Zeek package that detects exploit attempts and successes along with bundling up the salient information related to an attempted attack into a notice for your IR team:   https://github.com/corelight/CVE-2020-5902-F5BigIP

This package demonstrates a couple of aspects that are worth highlighting.

  • At first glance, you may think that since the core of this detection is looking for a few URI patterns, that you can do all this on a SIEM. Well, sure you can do parts of it, and only if you have the base logs to begin with. Even if you have the native appliance logs in your SIEM, you lose part of the network context that Zeek can provide. Think of Zeek as an enricher that feeds your SIEM with more valuable information.
  • As an Incident Responder, you want contextual information up front, because you need to triage things quickly. By adding items like headers into the alert notice – as this package does – Zeek gives responders an upper hand in the race against the IR queue, because now they don’t need to wade through PCAPs in a clunky swivel-chair workflow to manually fish out the important parts in order to decide on the next course of action. I’ve heard it said before, and this is a great example of Zeek being at the “sweet spot” between full PCAP and firewall logs or netflow. 

There are exploit tools for this vulnerability that are actively circling publicly, including a Metasploit module. If you have these devices on your network, hopefully by now you have read the F5 advisory and have patched your systems. Even if you have, you might still be interested to know when an exploit attempt is made. This Zeek package will provide you this information. 

In addition to this package, you may also be interested in this SIGMA rule, and a Suricata rule is also provided in the CISA alert.

Lastly, I feel sure I’ll get a question about HTTP vs HTTPS and its impacts on this package. Even if you are not breaking/inspecting HTTPS traffic, we have seen scans for this exploit occur on HTTP, so there is still value for you here. Don’t assume that attackers will always use HTTPS. This is much a larger topic, but the nub of it is that there are other tricks in our bag to help with encrypted channels, and valuable detections aren’t made impossible just because traffic is encrypted.

We welcome feedback on how you use the package, and suggestions for improvement, so please reach out if you have any feedback.

#RCE #CVE-2020-5902 #CVE10 #Big-IP #Zeek  

Filed Under: Corelight Labs, Zeek Tagged With: Big-IP, CISA, CVE-2020-5902, CVE10, F5, GitHub, HTTP, HTTPS, NCC Group, open source, RCE, Remote Code Execution, Sigma, Suricata, Zeek

Contact

  • Contact Us
  • Find a Reseller
  • Headquarters+1(510) 281-0760
  • Sales+1(888) 547-9497

Primary Sidebar

Search

Recent Posts

  • Detecting SUNBURST/Solarigate activity in retrospect with Zeek – a practical example
  • Finding SUNBURST backdoor with Zeek logs & Corelight
  • Introducing the Cloud Sensor for GCP
  • Who’s your fridge talking to at night?
  • Small, fast and easy. Pick any three.

Categories

Archives

Tags

Bro conn.log Corelight Corelight Sensor cybersecurity DNS Elastic encrypted traffic encryption files.log GitHub HTTP HTTPS incident response ja3 ja3s JSON Linux logs MITRE ATT&CK NDR network security Network Security Monitoring network traffic analysis network visibility NSM NTA open source open source community PCAP Richard Bejtlich SANS SIEM SMTP SOC Splunk SSH SSL ssl.log Suricata TCP TLS TLS 1.3 Vern Paxson Zeek

Footer

Use Cases

  • Our Use Cases
  • MITRE ATT&CK
  • Government
  • Enterprise
  • Higher Education
  • Why Corelight

Products

  • Zeek
  • Suricata
  • Collections
  • Appliance Sensors
  • Cloud Sensors
  • Software Sensor
  • Virtual Sensors
  • Fleet Manager
  • Compare to open Source Zeek

Company

  • About Corelight
  • Awards
  • Careers
  • Events
  • News Coverage
  • Media Kit

Resources

  • Support Overview
  • Open A Support Ticket
  • Product Training
  • Case Studies
  • Video
  • Github
  • Scripts + Packages
  • Zeek Community

Follow us

  • facebook
  • twitter
  • linkedin
  • github
  • reddit
  • youtube

Copyright © 2021 · Corelight, Inc. · All rights reserved. · Privacy Policy · Terms of Use