Security News > 2023 > October > F5 hurriedly squashes BIG-IP remote code execution bug

F5 has issued a fix for a remote code execution bug in its BIG-IP suite carrying a near-maximum severity score.

Researchers at Praetorian first discovered the authentication bypass flaw in BIG-IP's configuration utility and published their findings this week of what is the third major RCE bug to impact BIG-IP since 2020.

Michael Weber, one of Praetorian's researchers and co-author of the F5 discovery, took to Mastodon to reveal a little more about how the disclosure process with the vendor unfolded.

In a follow-up post, Weber revealed that F5 recently made him aware that an anonymous independent researcher approached the vendor highlighting the same bug in the last two weeks.

He said he suspects the RCE bug detailed in Praetorian's research "Was just bundled in" with a larger advisory from F5 on Thursday, which included issues for two other bugs impacting BIG-IP. One of these, a cache poisoning issue, was allegedly found by an independent security researcher who was aggrieved about the lack of bug bounty opportunities at F5, so they decided to disclose it themselves.

Having come off the back of looking into request smuggling issues in Qlik Sense Enterprise, the researchers investigated F5 from this lens, too, finding one vulnerability of this type that F5 admitted affected its custom Apache version.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/10/27/f5_hurriedly_fixes_bigip_remote/