By The Integrity360 Team on March 10, 2021

F5 BIG-IP and BIG-IQ Critical Security Vulnerabilities

Breaches, Alerts & Advisories

Relevant CVE: CVE-2021-22986, CVE-2021-22987, CVE-2021-22988, CVE-2021-22989, CVE-2021-22990, CVE-2021-22991, CVE-2021-22992

Last Updated: 15:00 GMT 23/03/21

Advisory Update 23/03/21: 

Since the announcement by F5 of new vulnerabilities and fixes for both BIG-IP and BIG-IQ, it has become evident by a number of global threat intelligence sources that CVE-2021-22986 is being publicly exploited. 

K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
The iControl REST interface has an unauthenticated remote command execution vulnerability.
CVSS score: 9.8 (Critical)

If you are running a version known to be vulnerable, you can eliminate this vulnerability by installing a version listed in the Fixes introduced section of the F5 advisory.  

 

 

F5 Original Advisory: 10/03/2021 

F5 have announced new vulnerabilities and fixes for both BIG-IP and BIG-IQ, including four critical CVEs.

These vulnerabilities affect all BIG-IP and BIG-IQ customers and F5 is strongly recommending all BIG-IP and BIG-IQ systems be updated to fixed versions as soon as possible

The Threat 

The following critical vulnerabilities in F5’s BIG-IP and BIG-IQ were disclosed.

K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
The iControl REST interface has an unauthenticated remote command execution vulnerability.
CVSS score: 9.8 (Critical)

K18132488: Appliance Mode TMUI authenticated remote command execution vulnerability CVE-2021-22987
When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.
CVSS score: 9.9 (Critical)

K70031188: TMUI authenticated remote command execution vulnerability CVE-2021-22988
TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.
CVSS score: 8.8 (High)

K56142644: Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989
When running in Appliance mode with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.
CVSS score: 8.0 (High)

K45056101: Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22990
On systems with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.
CVSS score: 6.6 (Medium)

K56715231: TMM buffer-overflow vulnerability CVE-2021-22991
Undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE).
CVSS score: 9.0 (Critical)

K52510511: Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992
A malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise.
CVSS score: 9.0 (Critical)

Integrity360 will continue to monitor our client estates and the wild with extra care and due diligence for threat actors looking to capitalise on these critical vulnerabilities.


More information

There are resources available about the vulnerabilities and how to update or upgrade the affected BIG-IP and BIG-IQ systems on the F5 vulnerability response site.

Integrity360 will continue to monitor this situation and provide updates, links and resources on this dedicated page if new information comes to light. 

Should you require assistance directly, please contact your account manager or use our contact form for further assistance. As always, Integrity360 Managed Security Service (MSS) customers will already be managed through our proactive security approach.

For more information on these vulnerabilities please check the related content links listed below.