iTnews
  • Home
  • News
  • Technology
  • Security

New critical vulnerabilities found in F5 devices

By Juha Saarinen on Mar 11, 2021 8:33AM
New critical vulnerabilities found in F5 devices

Can be used to remotely commandeer BIG-IP and BIG-IQ systems.

Enterprise security and network appliance vendor F5 has issued an advisory covering four critical vulnerabilities that attackers can exploit to remotely take over unpatched systems.

Unauthenticated attackers can exploit the Common Vulnerabilities and Exposures (CVE) 2021-22986 flaw in the F5 iControl representational state transfer (REST) application programming interface to remotely run arbitrary system commands on several F5 products.

Given a Common Vulnerabilities Scoring System version 3 rating of 9.8 out of 10 possible, the critical bug allows attackers to create and delete files as well as execute commands, and disable system services.

CVE-2021-22986 can only be exploited through the control plane on vulnerable products and not the data plane, F5 said.

Three other vulnerabilities, CVEs 2021-22987, 22988 and 22989, affect the traffic management user interface (TMUI) configuration tool on F5 devices, and allow authenticated users to remotely execute commands in undisclosed pages.

These have been given the CVSSv3 scores of 9.9 (critical), 8.0 (high) and 6.6 (medium) respectively.

Two further critical vulnerabilities are also patched by F5, CVE-2021-2291 and 22992, both of which are rated CVSSv3 9.0/10.0.

The latter two bugs can be used to trigger denial of service attacks, and could also be used for remote code execution leading to complete system compromise, F5 warned.

Security vendor Corellium founder and researcher Maria Markstedter criticised F5 for not using readily available bug mitigation features that could have avoided the recent vulnerabilities.

*takes deep breath*

Executable stack?! How... How are we still seeing the lack of basic exploit mitigations in enterprise software. It’s 2021. Basic stack protection flags have been enabled by default in most compilers for ages! https://t.co/tl6YYUKNJ7 pic.twitter.com/JzQEbHY0MN

— Azeria (@Fox0x01) March 10, 2021

Markstedter's tweet was in response to Google Project Zero researcher Felix Wilhelm who found the flaws in F5 software in December, and notified the security vendor about them.

Wilhelm also posted proof of concept code for CVE-2012-22992.

"While triggering the vulnerability is complex, exploiting it is trivial: The bd process has an
executable stack and does not support basic exploit mitigations like PIE or stack cookies," Wilhelm wrote in his disclosure report.

"The attached proof-of-concept demonstrates arbitrary code execution against F5 BigIP v16.01 assuming a vulnerable ASM configuration and a compromised backend."

Fixes are out now, F5 said.

"Because of the severity of these vulnerabilities, F5 recommends that all customers install fixed software as soon as possible. All seven vulnerabilities are fixed in the following BIG-IP versions: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3. CVE-2021-22986 also affects BIG-IQ, and this is fixed in 8.0.0, 7.1.0.3, and 7.0.0.2," the network device vendor said.

The recent critical vulnerabilities in F5 products come after last year's security scare that involved a bug that is exploitable with a single line of code, allowing for remote code and command execution.

That vulnerability led United States cyber security agencies to issue a warning in July, advising F5 customers not to delay applying patches to secure their appliances, as attacks were likely.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bigipbigiqf5networkingsecuritywaf

Partner Content

Security: Understanding the fundamentals of governance, risk & compliance
Promoted Content Security: Understanding the fundamentals of governance, risk & compliance
Why rethinking your CMS is crucial for customer retention
Promoted Content Why rethinking your CMS is crucial for customer retention
Winning strategies for complaints and disputes management in financial services
Promoted Content Winning strategies for complaints and disputes management in financial services
Why Genworth Australia embraced low-code software development
Promoted Content Why Genworth Australia embraced low-code software development

Sponsored Whitepapers

Free eBook: Digital Transformation 101 – for banks
Free eBook: Digital Transformation 101 – for banks
Why financial services need to tackle their Middle Office
Why financial services need to tackle their Middle Office
Learn: The latest way to transfer files between customers
Learn: The latest way to transfer files between customers
Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see

Events

  • Forrester Technology & Innovation Asia Pacific 2022
By Juha Saarinen
Mar 11 2021
8:33AM
0 Comments

Related Articles

  • F5 BIG-IP systems vulnerable to remote takeover
  • Open source F5 Big-IP exploit detector released
  • US needs billions more to remove Huawei, ZTE
  • Attackers exploiting unpatched F5 BIG-IP devices
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

NSW Police dumps Bezos-backed Mark43 from core systems overhaul

NSW Police dumps Bezos-backed Mark43 from core systems overhaul

Australian court finds insurer not liable for ransomware clean-up costs

Australian court finds insurer not liable for ransomware clean-up costs

NBN Co proposes to axe CVC across all plans by mid-2026

NBN Co proposes to axe CVC across all plans by mid-2026

Wesfarmers to stand up offensive cyber security capabilities

Wesfarmers to stand up offensive cyber security capabilities

Digital Nation

Metaverses on the agenda for Dominello, Husic ministerial meeting
Metaverses on the agenda for Dominello, Husic ministerial meeting
Domino’s invests in observability for zero contact delivery
Domino’s invests in observability for zero contact delivery
COVER STORY: How KPMG, Mirvac and ASX use blockchain to build trust in the property sector
COVER STORY: How KPMG, Mirvac and ASX use blockchain to build trust in the property sector
Australia will lose 11 percent of jobs to automation by 2040: Forrester
Australia will lose 11 percent of jobs to automation by 2040: Forrester
Criteo to fork out $94.7m for consent breaches
Criteo to fork out $94.7m for consent breaches
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.