Security News > 2021 > March > Critical Pre-Auth RCE Flaw Found in F5 Big-IP Platform — Patch ASAP!

Application security company F5 Networks on Wednesday published an advisory warning of four critical vulnerabilities impacting multiple products that could result in a denial of service attack and even unauthenticated remote code execution on target networks.

The four critical flaws affect BIG-IP versions 11.6 or 12.x and newer, with a critical pre-auth remote code execution also affecting BIG-IQ versions 6.x and 7.x. F5 said it's not aware of any public exploitation of these issues.

Urging customers to update their BIG-IP and BIG-IQ deployments to a fixed version as soon as possible, F5 Networks' Kara Sprague said the "Vulnerabilities were discovered as a result of regular and continuous internal security testing of our solutions and in partnership with respected third parties working through F5's security program."

The fixes are notable for the fact that it's the second time in as many years that F5 has revealed flaws that could allow remote code execution.

The latest update to BIG-IP software arrives less than a year after the company addressed a similar critical flaw in early July 2020, with multiple hacking groups exploiting the bug to target unpatched devices, prompting the U.S. Cybersecurity and Infrastructure Security Agency to issue an alert cautioning of a "Broad scanning activity for the presence of this vulnerability across federal departments and agencies."

"This bug is probably going to fly under the radar, but this is a much bigger deal than it looks because it says something is really really broken in the internal security process of F5 BIG-IP devices," said Matt "Pwn all the Things" Tait in a tweet.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/X45NpSJZntQ/critical-pre-auth-rce-flaw-found-in-f5.html