Emerging Threat Notification: F5 Networks Vulnerabilities for BIG-IP and BIG-IQ Products
ADVISORY SUMMARY
F5 Networks released a series of security advisories today for seven vulnerabilities affecting their BIG-IP and BIG-IQ products. In the advisory, they urge that companies download and install the security update immediately in order to protect themselves from all seven issues. The bugs were discovered by Felix Wilhelm of Google’s Project Zero team back in December and were published today alongside a proof-of-concept exploit.
These vulnerabilities exist across all different pieces and parts of the BIG-IP environment, from the Traffic Manager User Interface (TMUI) to the iControl Rest Interface and on both the control and data plane. While the initial eye-catching vulnerability may be the unauthenticated RCE against the iControl Rest Interface (CVE-2021-22986), it’s worth noting that attackers don’t need access to the management interface to perform the denial-of-service (and possibly RCE) reported in CVE-2021-22991 and CVE-2021-22992.
IMPACT
It's important to note is that while these bugs hadn’t been seen being exploited in the wild at the time of the advisory, CISA has previously stated that F5 BIG-IP devices are “attractive targets” for threat actors. Last year, threat actors had been observed trying to leverage a similar unauthenticated RCE (CVE-2020-5902) less than a week after the vendor advisory was released.
Due to the popularity of the affected products and its widespread use within many organization (ZDNet asserts that 48 of the Fortune 50 List), these critical vulnerabilities require your immediate attention.
CVEs
CVE ID |
Description |
Score |
Severity |
iControl REST unauthenticated remote code execution |
9.8 |
Critical |
|
Appliance Mode TMUI authenticated remote command execution |
9.9 |
Critical |
|
TMUI authenticated remote command execution |
8.8 |
High |
|
Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution |
8.0 |
High |
|
Advanced WAF/ASM TMUI authenticated remote command execution |
6.6 |
Medium |
|
Traffic Management Microkernel buffer overflow |
9.0 |
Critical |
|
Advanced WAF/ASM buffer-overflow |
9.0 |
Critical |
AFFECTED VERSIONS
BIG-IP:
- 16.0.0-16.0.1
- 15.1.0-15.1.2
- 14.1.0-14.1.3.1
- 13.1.0-13.1.3.5
- 12.1.0-12.1.5.2
- 11.6.1-11.6.5.2
BIG-IQ:
- 7.1.0-7.1.0.2
- 7.0.0-7.0.0.1
- 6.0.0-6.1.0
MITIGATION
- We recommend that you consult the F5 support documentation includes the technical details of how to detect a possible exploitation of one of these vulnerabilities: https://support.f5.com/csp/article/K04532512#q6.
- To determine if your iControl REST Interface is publicly accessible,
- The Diagnostics tab within F5 iHealth has heuristic tests designed to look for several different pieces of evidence which suggest there are interfaces exposed to the public Internet, but it may not be able to identify all cases.
- Alternatively, having a public (that is, a routable non-RFC1919) IP address associated with the management port or self IP addresses is a strong indication that these interfaces may be accessible through the Internet. You can test this by attempting to connect back to the BIG-IP system on port 443 or 22 from a remote device. If these interfaces have RFC1919 addresses associated, then you must check upstream NAT devices to determine if there is any inbound connectivity from the Internet (such as through port forwarding).
- To block access to iControl in the interim (strongly recommended), follow the instructions here: https://support.f5.com/csp/article/K04532512#q13
- We also recommend that you read the advice on detection and blocking, on the F5 support page to get the most updated guidance: https://support.f5.com/csp/article/K02566623
SHAMELESS PLUG
If you’re a Cosmos client, we’ve already investigated whether you’re affected by the vulnerabilities (or not) and updated you appropriately. If you’re interested in getting continuous testing on your attack surface to surface emerging threats, explore our Cosmos subscription service.
LINKS
-
CISA Advisory : https://us-cert.cisa.gov/ncas/current-activity/2021/03/10/f5-security-advisory-rce-vulnerabilities-big-ip-big-iq
-
Vendor Advisory : https://support.f5.com/csp/article/K02566623
-
Vendor Advisory (Archived) : https://archive.is/MxYwk
-
Vendor FAQ on these CVEs - https://support.f5.com/csp/article/K04532512
-
Project Zero bug report : https://bugs.chromium.org/p/project-zero/issues/detail?id=2132
-
Project Zero bug report : https://bugs.chromium.org/p/project-zero/issues/detail?id=2126
-
PoC from researcher : https://twitter.com/_fel1x/status/1369675356073041924
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
