Security News > 2023 > October > F5 hurriedly squashes BIG-IP remote code execution bug
F5 has issued a fix for a remote code execution bug in its BIG-IP suite carrying a near-maximum severity score.
Researchers at Praetorian first discovered the authentication bypass flaw in BIG-IP's configuration utility and published their findings this week of what is the third major RCE bug to impact BIG-IP since 2020.
Michael Weber, one of Praetorian's researchers and co-author of the F5 discovery, took to Mastodon to reveal a little more about how the disclosure process with the vendor unfolded.
In a follow-up post, Weber revealed that F5 recently made him aware that an anonymous independent researcher approached the vendor highlighting the same bug in the last two weeks.
He said he suspects the RCE bug detailed in Praetorian's research "Was just bundled in" with a larger advisory from F5 on Thursday, which included issues for two other bugs impacting BIG-IP. One of these, a cache poisoning issue, was allegedly found by an independent security researcher who was aggrieved about the lack of bug bounty opportunities at F5, so they decided to disclose it themselves.
Having come off the back of looking into request smuggling issues in Qlik Sense Enterprise, the researchers investigated F5 from this lens, too, finding one vulnerability of this type that F5 admitted affected its custom Apache version.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/10/27/f5_hurriedly_fixes_bigip_remote/
Related news
- Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications (source)
- CISA Warns of Threat Actors Exploiting F5 BIG-IP Cookies for Network Reconnaissance (source)
- CISA: Hackers abuse F5 BIG-IP cookies to map internal servers (source)
- OvrC Platform Vulnerabilities Expose IoT Devices to Remote Attacks and Code Execution (source)