Security provider F5 has tackled more than a dozen high-severity bugs in its BIG-IP networking device, including one vulnerability that was considered as critical severity when abused under certain circumstances.
F5, Inc. is a U.S. organization that specializes in application delivery networking (ADN), application availability & performance, multi-cloud management, application security, network security, access & authorization, and online fraud prevention.
On August 24th, 2021, F5 has published a list of 35 security issues that impact multiple F5 devices of which 13 were considered high-severity vulnerabilities, 15 medium, and 7 low.
One of the 13 high-severity vulnerabilities is tracked as CVE-2021-23031 and is a privilege escalation issue on BIG-IP Advanced Web Application Firewall (WAF) and Web Application Firewall (ASM) Traffic Management User Interface (TMUI).
What Happens When the Bug Is Exploited?
When abused, the CVE-2021-23031 bug enables an authenticated threat actor who has access to the Configuration utility to carry out arbitrary system commands, generate or remove documents, or deactivate systems. This flaw could allow a hacker to completely damage a system.
According to the advisory, the vulnerability got a severity rating of 8.8, but for the Appliance Mode customers, the score increases to 9.9 out of 10.
What Can Users Do?
It also notes that only a limited number of customers are affected by the issue in a critical mode.
Because this cyberattack is organized by authenticated users, there is no feasible mitigation that also enables users’ access to the Configuration utility. F5 states that the only way to protect against these attacks is to remove access for users who are not completely trusted.
The fixed issues include request forgery flaws, authenticated remote command execution bugs, cross-site scripting (XSS)vulnerabilities, and insufficient permission and denial-of-service flaws:
| CVE / Bug ID | Severity | CVSS score | Affected products | Affected versions | Fixes introduced in |
|---|---|---|---|---|---|
| CVE-2021-23025 | High | 7.2 | BIG-IP (all modules) | 15.0.0 - 15.1.0 14.1.0 - 14.1.3 13.1.0 - 13.1.3 12.1.0 - 12.1.6 11.6.1 - 11.6.5 |
16.0.0 15.1.0.5 14.1.3.1 13.1.3.5 |
| CVE-2021-23026 | High | 7.5 | BIG-IP (all modules) | 16.0.0 - 16.0.1 15.1.0 - 15.1.2 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 11.6.1 - 11.6.5 |
16.1.0 16.0.1.2 15.1.3 14.1.4.2 13.1.4.1 |
| CVE-2021-23027 | High | 7.5 | BIG-IP (all modules) | 16.0.0 - 16.0.1 15.1.0 - 15.1.2 14.1.0 - 14.1.4 |
16.1.0 16.0.1.2 15.1.3.1 14.1.4.3 |
| CVE-2021-23028 | High | 7.5 | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 15.1.0 - 15.1.3 14.1.0 - 14.1.4 13.1.0 - 13.1.3 |
16.1.0 16.0.1.2 15.1.3.1 14.1.4.2 13.1.4 |
| CVE-2021-23029 | High | 7.5 | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 | 16.1.0 16.0.1.2 |
| CVE-2021-23030 | High | 7.5 | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 15.1.0 - 15.1.3 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 |
16.1.0 16.0.1.2 15.1.3.1 14.1.4.3 13.1.4.1 |
| CVE-2021-23031 | High -- Critical - Appliance mode only |
8.8 -- 9.9 |
BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 15.1.0 - 15.1.2 14.1.0 - 14.1.4 13.1.0 - 13.1.3 12.1.0 - 12.1.5 11.6.1 - 11.6.5 |
16.1.0 16.0.1.2 15.1.3 14.1.4.1 13.1.4 12.1.6 11.6.5.3 |
| CVE-2021-23032 | High | 7.5 | BIG-IP (DNS) | 16.0.0 - 16.0.1 15.1.0 - 15.1.3 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 |
16.1.0 15.1.3.1 14.1.4.4 |
| CVE-2021-23033 | High | 7.5 | BIG-IP (Advanced WAF, ASM) | 16.0.0 - 16.0.1 15.1.0 - 15.1.3 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 |
16.1.0 15.1.3.1 14.1.4.3 13.1.4.1 |
| CVE-2021-23034 | High | 7.5 | BIG-IP (all modules) | 16.0.0 - 16.0.1 15.1.0 - 15.1.3 |
16.1.0 15.1.3.1 |
| CVE-2021-23035 | High | 7.5 | BIG-IP (all modules) | 14.1.0 - 14.1.4 | 14.1.4.4 |
| CVE-2021-23036 | High | 7.5 | BIG-IP (Advanced WAF, ASM, DataSafe) | 16.0.0 - 16.0.1 | 16.1.0 16.0.1.2 |
| CVE-2021-23037 | High | 7.5 | BIG-IP (all modules) | 16.0.0 - 16.1.0 15.1.0 - 15.1.3 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 11.6.1 - 11.6.5 |
None |
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued a security advisory regarding the F5 matter urging users and administrators to “review the F5 security advisory and install updated software or apply the necessary mitigations as soon as possible.”