Security News > 2021 > March > Now it is F5’s turn to reveal critical security bugs – and the Feds were quick to sound the alarm on these BIG-IP flaws
To kick off, there's CVE-2021-22987, which scores a 9.9 on the ten-point CVSS scale of severity as it "Allows authenticated users with network access to the Configuration utility, through the BIG-IP management port, or self IP addresses, to execute arbitrary system commands, create or delete files, or disable services." Administrators are advised the flaw allows "Complete system compromise and breakout of Appliance mode." Note that this can only be exploited via the control plane, and it does require an attacker to have a valid login - so a rogue insider or someone using stolen credentials, perhaps.
At a mere 9.8 rating, CVE-2021-22986 "Allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services." Complete system compromise is again a possible consequence.
F5 says: "A malicious HTTP response to an Advanced WAF/ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution, leading to complete system compromise." Google's Wilhelm has a proof-of-concept exploit and more info here.
CVE-2021-22989 throttles back the horror with its 8.0 rating, but it allows "Highly privileged authenticated users to execute arbitrary system commands, create or delete files, or disable services." Complete system compromise and breakout of Appliance mode are again possible.
The seven main bugs are bad enough that America's Cyberspace and Infrastructure Agency issued an advisory in which it "Encourages users and administrators review the F5 advisory and install updated software as soon as possible." That's perhaps because foreign miscreants have exploited F5 holes in the past to sneak into networks belonging to Uncle Sam and big business.
The dossier says observed attacks exploiting the Exchange flaws are "Consistent with previous targeting activity by Chinese cyber actors."
News URL
https://go.theregister.com/feed/www.theregister.com/2021/03/11/f5_critical_flaws/
Related news
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- Major security audit of critical FreeBSD components now available (source)
- Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities (source)
- Critical security hole in Apache Struts under exploit (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-03-31 | CVE-2021-22987 | Unspecified vulnerability in F5 products On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3 when running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. | 9.9 |
2021-03-31 | CVE-2021-22989 | Unspecified vulnerability in F5 products On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, when running in Appliance mode with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. | 9.1 |
2021-03-31 | CVE-2021-22986 | Server-Side Request Forgery (SSRF) vulnerability in F5 products On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. | 9.8 |