On March 10, 2021, F5 Networks released updated software to fix 7 vulnerabilities in BIG-IP and BIG-IQ systems, 4 of which are rated critical, 2 high severity, and 1 medium severity.
Vulnerabilities in F5 software are highly sought after by threat actors, as the networking equipment is used by governments and large enterprises. 48 Fortune 50 firms, with the equipment commonly used by banks, ISPs, and many Fortune 500 firms. Previous vulnerabilities in BIG-IP and BIG-IQ software and hardware have been exploited quickly after patches have been released. A critical severity flaw in the BIG IP Traffic Management User Interface (TMUI) that was patched by F5 Networks in July 2020 was exploited in real world attacks a few days after the patch was released.
The four critical vulnerabilities have CVSS scores between 9.0 and 9.9 and allow unauthenticated individuals to remotely access BIG-IP devices and execute arbitrary code, which could lead to a full system compromise, interception of controller application traffic, and allow lateral movement within internal networks.
The only way to fully remediate the critical vulnerabilities is to update the software to the latest version. Due to the severity of the flaws and the high probability of exploitation, all BIG-IP customers have been urged to upgrade the software as soon as possible.
The four critical vulnerabilities are:
- CVE-2021-22986 – An iControl REST unauthenticated RCE vulnerability – CVSS 9.8
- CVE-2021-22987 – An Appliance Mode TMUI authenticated RCE vulnerability – CVSS 9.9
- CVE-2021-22991 – A TMM buffer overflow vulnerability – CVSS 9.0
- CVE-2021-22992 – An Advanced WAF/ASM buffer overflow vulnerability – CVSS 9.0
The high and medium severity vulnerabilities are:
- CVE-2021-22988 – A TMUI authenticated RCE vulnerability CVSS 8.8
- CVE-2021-22989 – An Appliance mode advanced WAF/ASM TMUI authenticated RCE vulnerability – CVSS 8.0
- CVE-2021-22990 – An Advanced WAF/ASM TMUI authenticated RCE vulnerability – CVSS 6.6
F5 has addressed all 7 vulnerabilities in BIG-IP versions: 126.96.36.199, 188.8.131.52, 14.1.4, 184.108.40.206, 220.127.116.11, and 18.104.22.168, and in BIG-IQ versions 8.0.0, 22.214.171.124, and 126.96.36.199.