F5 Security Patched Severe Vulnerabilities in its BIG-IP Networking Device – E Hacking News
F5 Security has patched over a dozen critical-severity vulnerabilities in its BIG-IP networking device, including one which was classified as critical severity when exploited under certain conditions.
A privilege escalation flaw, tracked as CVE-2021-23031 affects the BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) Traffic Management User Interface (TMUI).
An authorized attacker who has entry to the Configuration tool can exploit the issue to run arbitrary system commands, create or remove files, and/or discontinue services. Due to the flaw, an attacker can totally compromise the network device.
The vulnerability was assigned a severity level of 8.8, but according to the security notice, users that use the Appliance Mode, which imposes some technical constraints, get a severity value of 9.9 out of 10.
As per the security advisory for CVE-2021-23031, the problem is only affecting a small number of clients in critical condition.
“When this vulnerability is exploited, an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services. This vulnerability may result in complete system compromise.” states the advisory.
“The limited number of customers using Appliance mode have Scope: Changed, which raises the CVSSv3 score to 9.9. For information about Appliance mode, refer to K12815: Overview of Appliance mode.”
The vendor advises that the device should be updated; however, if this is not feasible, admins should restrict access to the Configuration utility to only 100% trusted users.
The U. S. Cybersecurity and Infrastructure Security Agency (CISA) also issued a security notification advising users and administrators to examine the F5 security advisory and install updated software or implement adequate measures as soon as possible.
F5 addressed 30 high-severity flaws in various products, including authenticated remote command execution vulnerabilities, cross-site scripting (XSS) issues, request forgery bugs, inadequate permission flaws, and denial-of-service flaws.
The flaws were given a severity score ranging from 7.2 to 7.5. The following is a list of issues patched by the vendor, along with their CVE and CVSS scores:
- CVE-2021-23025: High 7.2
- CVE-2021-23026: High 7.5
- CVE-2021-23027: High 7.5
- CVE-2021-23028: High 7.5
- CVE-2021-23029: High 7.5
- CVE-2021-23030: High 7.5
- CVE-2021-23031: High–Critical – Appliance mode only 8.8–9.9
- CVE-2021-23032: High 7.5
- CVE-2021-23033: High 7.5
- CVE-2021-23034: High 7.5
- CVE-2021-23035: High 7.5
- CVE-2021-23036: High 7.5
- CVE-2021-23037: High 7.5
Lastly, the vendor also fixed medium and low severity vulnerabilities.