PoC Exploit Posted Online Leaves Critical F5 BIG-IP Bug Exposed
Adversaries are mass scanning and targeting exposed and unpatched networking devices trying to break into enterprise networks.
F5 Networks recently released patches for critical vulnerabilities in its BIG-IP and BIG-IQ products, but their adversaries have begun to mass scan and target exposed and unpatched networking devices.
This in the wild exploitation happened after a proof-of-concept exploits code surfaced online earlier this week by reverse-engineering the Java software patch in BIG-IP, and since then the mass scans have spiked.
The flaws are affecting BIG-IP versions 11.6 or 12.x and newer, having a critical remote code execution (CVE-2021-22986) that is also impacting BIG-IQ versions 6.x and 7.x. CVE-2021-22986 (CVSS score: 9.8).
It seems that the successful exploitation of these vulnerabilities could lead to a fully compromised system, with the possibility of remote code execution as well as trigger a buffer overflow, all of this leading to a DoS attack.
On March 10, F5 said it wasn’t aware of any public exploitation, but researchers from NCC Group have now found evidence of “full chain exploitation of F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986”, and also the researchers from Palo Alto Networks’ Unit 42 declared to had identified attempts to exploit CVE-2021-22986 and install the Mirai botnet.
Given the popularity of BIG-IP/BIG-IQ in corporate and government networks, it should come as no surprise that this is the second time in a year F5 appliances have become a lucrative target for exploitation.
The bottom line is that [the flaws] affect all BIG-IP and BIG-IQ customers and instances — we urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible
For the time being it’s not clear if the CVEs exploits were successful, as researchers are still investigating this matter.