Emerging Threat Notification: F5 Networks Vulnerabilities for BIG-IP and BIG-IQ Products

ADVISORY SUMMARY

F5 Networks released a series of security advisories today for seven vulnerabilities affecting their BIG-IP and BIG-IQ products. In the advisory, they urge that companies download and install the security update immediately in order to protect themselves from all seven issues. The bugs were discovered by Felix Wilhelm of Google’s Project Zero team back in December and were published today alongside a proof-of-concept exploit.

These vulnerabilities exist across all different pieces and parts of the BIG-IP environment, from the Traffic Manager User Interface (TMUI) to the iControl Rest Interface and on both the control and data plane. While the initial eye-catching vulnerability may be the unauthenticated RCE against the iControl Rest Interface (CVE-2021-22986), it’s worth noting that attackers don’t need access to the management interface to perform the denial-of-service (and possibly RCE) reported in CVE-2021-22991 and CVE-2021-22992.

IMPACT

It's important to note is that while these bugs hadn’t been seen being exploited in the wild at the time of the advisory, CISA has previously stated that F5 BIG-IP devices are “attractive targets” for threat actors. Last year, threat actors had been observed trying to leverage a similar unauthenticated RCE (CVE-2020-5902) less than a week after the vendor advisory was released. 

Due to the popularity of the affected products and its widespread use within many organization (ZDNet asserts that 48 of the Fortune 50 List), these critical vulnerabilities require your immediate attention.

CVEs

CVE ID

Description

Score

Severity

CVE-2021-22986

iControl REST unauthenticated remote code execution

9.8

Critical

CVE-2021-22987

Appliance Mode TMUI authenticated remote command execution

9.9

Critical

CVE-2021-22988

TMUI authenticated remote command execution

8.8

High

CVE-2021-22989

Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution

8.0

High

CVE-2021-22990

Advanced WAF/ASM TMUI authenticated remote command execution

6.6

Medium

CVE-2021-22991

Traffic Management Microkernel buffer overflow

9.0

Critical

CVE-2021-22992

Advanced WAF/ASM buffer-overflow

9.0

Critical


AFFECTED VERSIONS

BIG-IP:

  • 16.0.0-16.0.1
  • 15.1.0-15.1.2
  • 14.1.0-14.1.3.1
  • 13.1.0-13.1.3.5
  • 12.1.0-12.1.5.2
  • 11.6.1-11.6.5.2

BIG-IQ:

  • 7.1.0-7.1.0.2
  • 7.0.0-7.0.0.1
  • 6.0.0-6.1.0

MITIGATION

  • We recommend that you consult the F5 support documentation includes the technical details of how to detect a possible exploitation of one of these vulnerabilities: https://support.f5.com/csp/article/K04532512#q6.

  • To determine if your iControl REST Interface is publicly accessible,
    • The Diagnostics tab within F5 iHealth has heuristic tests designed to look for several different pieces of evidence which suggest there are interfaces exposed to the public Internet, but it may not be able to identify all cases.
    • Alternatively, having a public (that is, a routable non-RFC1919) IP address associated with the management port or self IP addresses is a strong indication that these interfaces may be accessible through the Internet. You can test this by attempting to connect back to the BIG-IP system on port 443 or 22 from a remote device. If these interfaces have RFC1919 addresses associated, then you must check upstream NAT devices to determine if there is any inbound connectivity from the Internet (such as through port forwarding).

  • To block access to iControl in the interim (strongly recommended), follow the instructions here: https://support.f5.com/csp/article/K04532512#q13

  • We also recommend that you read the advice on detection and blocking, on the F5 support page to get the most updated guidance: https://support.f5.com/csp/article/K02566623

SHAMELESS PLUG

If you’re a Continuous Attack Surface Testing (CAST) client, we’ve already investigated whether you’re affected by the vulnerabilities (or not) and updated you appropriately. If you’re interested in getting continuous testing on your attack surface to surface emerging threats, explore our CAST subscription service.

LINKS