F5 Announces Critical BIG-IP pre-auth RCE bug
F5 Networks has announced four critical remote code execution (RCE) vulnerabilities affecting most BIG-IP and BIG-IQ software versions.
F5 Networks is a leading provider of enterprise networking gear, with software and hardware customers like governments, Fortune 500 firms, banks, internet service providers, and largely known consumer brands (Microsoft, Oracle, and Facebook).
The patch refers to the four critical vulnerabilities listed below and also includes a pre-auth RCE security flaw (CVE-2021-22986) that allows unauthenticated remote attackers to execute arbitrary commands on compromised BIG-IP devices. The vulnerabilities in question are listed below:
- iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 — this interface has an unauthenticated remote command execution vulnerability, that holds a CVSS score: 9.8, being considered critical.
- Appliance Mode TMUI authenticated remote command execution vulnerability CVE-2021-22987 — When running in Appliance mode, the Traffic Management User Interface, also known as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages holding a CVSS score of 9.9, and being considered Critical.
- TMM buffer-overflow vulnerability CVE-2021-22991 — Undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, this action may create a buffer overflow, resulting in a DoS attack, the CVSS score for this vulnerability is 9.0, considered to be critical.
- Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 — A malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may create a buffer overflow, resulting in a DoS attack, therefore allowing in certain situations remote code execution (RCE), leading to complete system compromise. CVSS score: 9.0 (Critical)
Today, the F5 declared to have discovered three other RCE vulnerabilities (two considered to be high and one medium, with CVSS severity ratings ranging between 6.6 and 8.8). These vulnerabilities are allowing authenticated remote attackers to execute arbitrary system commands.
Heimdal™ Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Successful exploitation of critical BIG-IP RCE vulnerabilities could lead to full system compromise, including the interception of controller application traffic and lateral movement to the internal network.
We strongly encourage all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible
To fully remediate the critical vulnerabilities, all BIG-IP customers will need to update to a fixed version.
F5 provided information on how to upgrade the software running on your BIG-IP appliances with details on multiple upgrade scenarios in this BIG-IP upgrade guide.