Security News > 2021 > March > Critical Pre-Auth RCE Flaw Found in F5 Big-IP Platform — Patch ASAP!
Application security company F5 Networks on Wednesday published an advisory warning of four critical vulnerabilities impacting multiple products that could result in a denial of service attack and even unauthenticated remote code execution on target networks.
The four critical flaws affect BIG-IP versions 11.6 or 12.x and newer, with a critical pre-auth remote code execution also affecting BIG-IQ versions 6.x and 7.x. F5 said it's not aware of any public exploitation of these issues.
Urging customers to update their BIG-IP and BIG-IQ deployments to a fixed version as soon as possible, F5 Networks' Kara Sprague said the "Vulnerabilities were discovered as a result of regular and continuous internal security testing of our solutions and in partnership with respected third parties working through F5's security program."
The fixes are notable for the fact that it's the second time in as many years that F5 has revealed flaws that could allow remote code execution.
The latest update to BIG-IP software arrives less than a year after the company addressed a similar critical flaw in early July 2020, with multiple hacking groups exploiting the bug to target unpatched devices, prompting the U.S. Cybersecurity and Infrastructure Security Agency to issue an alert cautioning of a "Broad scanning activity for the presence of this vulnerability across federal departments and agencies."
"This bug is probably going to fly under the radar, but this is a much bigger deal than it looks because it says something is really really broken in the internal security process of F5 BIG-IP devices," said Matt "Pwn all the Things" Tait in a tweet.
News URL
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)