Cybersecurity Threat Advisory 0013-21: F5 Big IP Vulnerability
Network provider, F5 Networks, a leading networking provider for businesses everywhere, has announced the discovery of multiple remote code execution vulnerabilities. There are four of these RCE vulnerabilities, which effect most BIG-IP and BIG-IQ software versions. Successful exploitation of these vulnerabilities could lead to systems being compromised. System compromise could lead to data leakage and service outages. SKOUT recommends ensuring that all devices are updated to their latest versions, to allow for security patches to be implemented.
Technical Detail & Additional Information
WHAT IS THE THREAT?
There are four separate critical Remote Code Execution (RCE) vulnerabilities which affect most BIG-IP and BIG-IQ software versions.
- iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986: This vulnerability allows for unauthenticated attackers to execute arbitrary system commands through the iControl REST interface, the BIG-IP management interface, and self IP addresses.
- Appliance mode TMUI authenticated remote command execution vulnerability CVE-2021-22987: This vulnerability allows for authenticated users who have network access, to execute arbitrary system commands through the iControl REST interface, the BIG-IP management interface, and self IP addresses.
- TMM buffer-overflow vulnerability CVE-2021-22991: This vulnerability could potentially lead to undisclosed requests to a virtual server being incorrectly handled by Traffic Management Microkernel URI normalization, which could trigger a buffer overflow. This could lead to a denial of service (DoS) attack.
- Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992: This vulnerability could potentially allow an attacker to perform a denial of service (DoS) attack, if they have control over back-end web servers, or the ability to manipulate server-side HTTP responses to a virtual server.
WHY IS IT NOTEWORTHY?
F5 Big-IP software and hardware has large scale customers. Microsoft, Facebook, Oracle, Fortune 500 firms, banks, internet service providers (ISPs), and many more rely on F5 technology. F5 themselves claim that “48 of the Fortune 50 rely on F5”. Their product is very widely used and any vulnerabilities they possess can lead to big issues for their customers. In July of 2020, attackers became aware of vulnerabilities with F5 technology and specifically targeted enterprises that did not patch their F5 BIG-IP devices. Attackers are aware when these vulnerabilities exist, so it is very important to ensure that these patches are implemented as soon as they are released.
WHAT IS THE EXPOSURE OR RISK?
Each of the four vulnerabilities with F5 Big-IP devices detailed above have similar risk involved if they are exploited. They can lead to potential denial of service attacks, and even complete system compromises. This could enable attackers to execute arbitrary system commands and create or delete files. Many companies rely on sensitive data remaining private and being able to provide continued service to their customers. These vulnerabilities put these expectations at potential risk if they are exploited by attackers.
WHAT ARE THE RECOMMENDATIONS?
SKOUT recommends installing all the patches released by F5 that address these vulnerabilities. The affected devices and software versions can be found below.
- iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986: https://support.f5.com/csp/article/K03009991
- Appliance mode TMUI authenticated remote command execution vulnerability CVE-2021-22987: https://support.f5.com/csp/article/K18132488
- TMM buffer-overflow vulnerability CVE-2021-22991: https://support.f5.com/csp/article/K56715231
- Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992: https://support.f5.com/csp/article/K52510511
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.