F5 issues BIG-IP patches to tackle unauthenticated remote code execution, critical flaws
F5 Networks has pushed out patches to tackle four critical vulnerabilities in BIG-IP, one of which can be exploited for unauthenticated remote code execution (RCE) attacks.
The enterprise networking provider’s BIG-IP applications are enterprise-grade, modular software suites designed for data and app delivery, load balancing, traffic management, and other business functions.
F5 says that 48 out of Fortune 50 companies are F5 customers. Governments, telecoms firms, financial services, and healthcare providers are counted among clients.
F5’s security advisory, published on Wednesday, describes seven security flaws impacting BIG-IP and BIG-IQ deployments.
CVE-2021-22986 is an unauthenticated RCE impacting the BIG-IP management interface.
“The vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services,” F5 says. “This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable.”
CVE-2021-22987 also impacts Appliance mode while BIG-IP’s Traffic Management User Interface (TMUI) is running. Authenticated users able to access TMUI can exploit the bug to execute arbitrary commands, tamper with files, and disable services.
“Exploitation can lead to complete system compromise and breakout of Appliance mode,” F5 added.
Alongside these security flaws, F5 has also tackled CVE-2021-22991 and CVE-2021-22992, critical buffer overflow bugs impacting the Traffic Management Microkernel (TMM) and Advanced WAF/ASM virtual servers. The vulnerabilities have both been awarded a severity score of 9.0.
Three other vulnerabilities have also been resolved; CVE-2021-22988, CVE-2021-22989, and CVE-2021-22990 — issued CVSS scores of 8.8, 8.0, and 6.6 — which could be exploited for the purposes of remote command execution in TMUI components.
Kara Sprague, senior VP of F5’s Application Delivery Controller (ADC) business unit, said “the bottom line is that [the vulnerabilities] affect all BIG-IP and BIG-IQ customers and instances.”
“We urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible,” the executive added.
The vulnerabilities have been patched in BIG-IP versions 126.96.36.199, 188.8.131.52, 14.1.4, 184.108.40.206, 220.127.116.11, and 18.104.22.168. CVE-2021-22986 also impacts BIG-IQ and is fixed in versions 8.0.0, 22.214.171.124, and 126.96.36.199.
14 unrelated CVEs were also announced.
The US Cybersecurity and Infrastructure Security Agency (CISA), which issued an emergency directive last week commanding federal agencies to tackle actively-exploited Microsoft Exchange Server vulnerabilities, recommended that these security issues are dealt with promptly.
In July 2020, F5 patched a remote code execution vulnerability in BIG-IP, tracked as CVE-2020-5902, which was awarded a rare CVSS severity score of 10.0.
Discovered by Mikhail Klyuchnikov, a researcher with Positive Technologies, the bug impacted BIG-IP’s TMUI and allowed unauthenticated attackers to remotely compromise TMUI interfaces.
Only a few days after disclosure, threat actors began launching attacks against internet-facing BIG-IP builds. F5 warned at the time that “if TMUI [is] exposed to the internet and it does not have a fixed version of software installed, there is a high probability that it has been compromised and you should follow your internal incident response procedures.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0