Enterprise security and network appliance vendor F5 has issued an advisory covering four critical vulnerabilities that attackers can exploit to remotely take over unpatched systems.
Unauthenticated attackers can exploit the Common Vulnerabilities and Exposures (CVE) 2021-22986 flaw in the F5 iControl representational state transfer (REST) application programming interface to remotely run arbitrary system commands on several F5 products.
Given a Common Vulnerabilities Scoring System version 3 rating of 9.8 out of 10 possible, the critical bug allows attackers to create and delete files as well as execute commands, and disable system services.
CVE-2021-22986 can only be exploited through the control plane on vulnerable products and not the data plane, F5 said.
Three other vulnerabilities, CVEs 2021-22987, 22988 and 22989, affect the traffic management user interface (TMUI) configuration tool on F5 devices, and allow authenticated users to remotely execute commands in undisclosed pages.
These have been given the CVSSv3 scores of 9.9 (critical), 8.0 (high) and 6.6 (medium) respectively.
Two further critical vulnerabilities are also patched by F5, CVE-2021-2291 and 22992, both of which are rated CVSSv3 9.0/10.0.
The latter two bugs can be used to trigger denial of service attacks, and could also be used for remote code execution leading to complete system compromise, F5 warned.
Security vendor Corellium founder and researcher Maria Markstedter criticised F5 for not using readily available bug mitigation features that could have avoided the recent vulnerabilities.
*takes deep breath*— Azeria (@Fox0x01) March 10, 2021
Executable stack?! How... How are we still seeing the lack of basic exploit mitigations in enterprise software. It’s 2021. Basic stack protection flags have been enabled by default in most compilers for ages! https://t.co/tl6YYUKNJ7 pic.twitter.com/JzQEbHY0MN
Markstedter's tweet was in response to Google Project Zero researcher Felix Wilhelm who found the flaws in F5 software in December, and notified the security vendor about them.
Wilhelm also posted proof of concept code for CVE-2012-22992.
"While triggering the vulnerability is complex, exploiting it is trivial: The bd process has an
executable stack and does not support basic exploit mitigations like PIE or stack cookies," Wilhelm wrote in his disclosure report.
"The attached proof-of-concept demonstrates arbitrary code execution against F5 BigIP v16.01 assuming a vulnerable ASM configuration and a compromised backend."
Fixes are out now, F5 said.
"Because of the severity of these vulnerabilities, F5 recommends that all customers install fixed software as soon as possible. All seven vulnerabilities are fixed in the following BIG-IP versions: 188.8.131.52, 184.108.40.206, 14.1.4, 220.127.116.11, 18.104.22.168, and 22.214.171.124. CVE-2021-22986 also affects BIG-IQ, and this is fixed in 8.0.0, 126.96.36.199, and 188.8.131.52," the network device vendor said.
The recent critical vulnerabilities in F5 products come after last year's security scare that involved a bug that is exploitable with a single line of code, allowing for remote code and command execution.
That vulnerability led United States cyber security agencies to issue a warning in July, advising F5 customers not to delay applying patches to secure their appliances, as attacks were likely.