CVE 2020-5902: Indicators of Compromise

F5 provides the CVE-2020-5902 IoC Detection Tool to help its customers analyze their F5 devices outside of iHealth for certain indicators of compromise related to CVE-2020-5902. Please note, however, that:

- The CVE-2020-5902 IoC Detection Tool is not comprehensive, nor is it intended to be: it does not identify all possible indicators of compromise, but only a select group that F5 has found to be generally reliable based on its internal analyses of compromised F5 devices.

- Not all compromised F5 devices show the same indicators and attackers may be able to remove traces of their work. It is not possible to prove that any device has not been compromised; if there is any uncertainty, additional analysis may be required and/or you may want to consult with your security team.

- To avoid undue interruption to a user’s business operations, the CVE-2020-5902 IoC Detection Tool should not be operated during peak traffic hours and should instead generally be used during users’ regular maintenance windows.

- If indicators of compromise are identified, F5 recommends that users follow their documented internal incident response procedures. F5 has provided general considerations and guidance for when a security compromise on a BIG-IP system is suspected in K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system. Additionally, users can contact F5 directly for additional support via the Customer Support Portal or other standard channels.

The CVE-2020-5902 IoC Detection Tool is made available for F5 users’ convenience and is provided on an “as is” basis under the terms of the Apache License. You use the CVE-2020-5902 IoC Detection Tool at your own risk.