A Zeek detection package for CVE-2020-5902, a CVE10.0 vulnerability affecting F5 Networks BIG-IP devices.
- https://corelight.blog/2020/07/28/zeek-in-its-sweet-spot-detecting-f5s-big-ip-cve10-cve-2020-5902/
- https://support.f5.com/csp/article/K52145254
- https://us-cert.cisa.gov/ncas/alerts/aa20-206a
By default both notices are enabled, however if you'd like to enable only the notice concerning a successful exploit you can change the option in scripts/bigIPF5.zeek to True i.e option only_monitor_for_successful_exploit: bool = T;
| Notice | Enabled by default? | Disable with only_monitor_for_successful_exploit = T |
|---|---|---|
| BIGIP_exploit_attempt | Yes | Yes |
| BIGIP_exploit_success | Yes | No |
Notices include up to 1500 bytes of the HTTP request headers as well as uri information, which can be helpful to speed up Incident Response and triage, without necessarily needing to refer back to a pcap. Example:
#separator \x09 #set_separator , #empty_field (empty) #unset_field - #path notice #open 2020-07-27-16-57-12 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string stringstring double double
1595831352.218935 C9EcoD1bu0ertt08bb 192.168.31.37 63034 192.168.1.3 80 - - - tcp CVE_2020_5902::BIGIP_exploit_attempt An attempt to exploit an F5 BIG-IP device via CVE-2020-5902 was detected using uri '/hsqldb;' , however the server responded with a code='404' reason='Not Found', indicating the exploit attempt failed. The HTTP request headers are '{\x0a\x09[1] = [original_name=User-Agent, name=USER-AGENT, value=Wget/1.20.3 (darwin19.0.0)],\x0a\x09[2] = [original_name=Accept, name=ACCEPT, value=*/*],\x0a\x09[3] = [original_name=Accept-Encoding, name=ACCEPT-ENCODING, value=identity],\x0a\x09[4] = [original_name=Host, name=HOST, value=192.168.1.3],\x0a\x09[5] = [original_name=Connection, name=CONNECTION, value=Keep-Alive]\x0a}'. Refer to https://support.f5.com/csp/article/K52145254 - 192.168.31.37 192.168.1.3 80 - - Notice::ACTION_LOG 3600.000000 - - - - -
- To use against a pcap you already have
zeek -Cr your.pcap scripts/__load__.zeek - This package will run in live clustered or non clustered environments.
- This package has been prepared based on a selection of current publicly available information, not against pcaps of exploits.
- As details emerge, we are keen to improve this package for the benefit of the community, please feel free to contact the author with any suggestions and feedback.