F5 RCE Vulnerabilities

F5 Networks has published a security advisory warning customers to patch a critical flaw in BIG-IP product that is very likely to be exploited.

On March 10th, 2021, F5 announced four critical CVEs, along with three related CVEs (two high and one medium). The security advisory aimed to serve as an overview of these vulnerabilities which help to determine the impact on your F5 devices.

The Seven (7) Related Vulnerabilities are as follows:

  • iControl REST unauthenticated remote command execution vulnerability (CVE-2021-22986)

The iControl REST interface has an unauthenticated remote command execution vulnerability. CVSS score: 9.8 (Critical)

  • Appliance Mode TMUI authenticated remote command execution vulnerability (CVE-2021-22987)

When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. CVSS score: 9.9 (Critical)

  • TMUI authenticated remote command execution vulnerability (CVE-2021-22988)

TMUI also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. CVSS score: 8.8 (High)

  • Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability (CVE-2021-22989)

When running in Appliance mode with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. CVSS score: 8.0 (High)

  • Advanced WAF/ASM TMUI authenticated remote command execution vulnerability (CVE-2021-22990)

On systems with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. CVSS score: 6.6 (Medium)

  • TMM buffer-overflow vulnerability (CVE-2021-22991)

Undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow a bypass of URL-based access control or remote code execution (RCE). CVSS score: 9.0 (Critical)

  • Advanced WAF/ASM buffer-overflow vulnerability (CVE-2021-22992)

A malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise.CVSS score: 9.0 (Critical)

Patches Available

F5 recommends that all customers install fixed software as soon as possible. All seven vulnerabilities are fixed in the following BIG-IP versions: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3.

CVE-2021-22986 also affects BIG-IQ, and this is fixed in 8.0.0, 7.1.0.3, and 7.0.0.2.

The BIG-IP product is an application delivery controller (ADC), it is used by government agencies and major businesses, including banks, services providers, and IT giants like Facebook, Microsoft, and Oracle.

In July 2020, F5 patched a critical RCE vulnerability with a maximum 10/10 CVSSv3 rating tracked as CVE-2020-5902 and affecting the Traffic Management User Interface (TMUI) of BIG-IP ADC appliances. Similar to the pre-auth RCE bug announced today, CVE-2020-5902 allows unauthenticated attackers to run arbitrary system commands following successful exploitation.

F5 Networks says the BIG-IP devices are used on the networks of 48 companies included in the Fortune 50 list. US Cyber Command is urging organizations using the F5 product to immediately patch their installs.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read

Vulnerability with VLC Player 3.0.11 Let Attackers Execute Code Remotely

VMware Fixes Critical RCE Vulnerability with View Planner

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.