F5 Urges Customers To Patch Critical BIG-IP Pre-auth RCE Bug

F5 Networks, a leading provider of enterprise networking gear, has announced four critical remote code execution (RCE) vulnerabilities affecting most BIG-IP and BIG-IQ software versions.

F5 BIG-IP software and hardware customers include governments, Fortune 500 firms, banks, internet service providers, and consumer brands (including Microsoft, Oracle, and Facebook), with the company claiming that “48 of the Fortune 50 rely on F5.”

The four critical vulnerabilities listed below also include a pre-auth RCE security flaw (CVE-2021-22986) which allows unauthenticated remote attackers to execute arbitrary commands on compromised BIG-IP devices:

• iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 — The iControl REST interface has an unauthenticated remote command execution vulnerability. CVSS score: 9.8 (Critical)
• Appliance Mode TMUI authenticated remote command execution vulnerability CVE-2021-22987 — When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. CVSS score: 9.9 (Critical)
• TMM buffer-overflow vulnerability CVE-2021-22991 — Undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE). CVSS score: 9.0 (Critical)
• Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 — A malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise. CVSS score: 9.0 (Critical)

Also Read: What You Should Know About The Data Protection Obligation Singapore

Today, F5 published security advisories on three other RCE vulnerabilities (two high and one medium, with CVSS severity ratings between 6.6 and 8.8), allowing authenticated remote attackers to execute arbitrary system commands.

Successful exploitation of critical BIG-IP RCE vulnerabilities could lead to full system compromise, including the interception of controller application traffic and lateral movement to the internal network.

The seven vulnerabilities are fixed in the following BIG-IP versions: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3, according to F5.

CVE-2021-22986, the pre-auth RCE flaw, also affects BIG-IQ (a management solution for BIG-IP devices), and it was fixed in 8.0.0, 7.1.0.3, and 7.0.0.2.

“We strongly encourage all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible,” F5 says in a notification published earlier today.

“To fully remediate the critical vulnerabilities, all BIG-IP customers will need to update to a fixed version.”

F5 provides information on how to upgrade the software running on your BIG-IP appliances with details on multiple upgrade scenarios in this BIG-IP upgrade guide.

We've announced several fixes for vulnerabilities, 4 of them critical. If you're an F5 customer, update your BIG-IP and BIG-IQ systems as soon as possible to fully protect yourself. You'll find all the info here: https://t.co/9Bu53O3cjg pic.twitter.com/rjyUu29DfM

— F5 (@F5) March 10, 2021

BIG-IP RCE flaws previously exploited by state hackers

In July 2020, F5 patched a critical RCE vulnerability with a maximum 10/10 CVSSv3 rating tracked as CVE-2020-5902 and affecting the Traffic Management User Interface (TMUI) of BIG-IP ADC appliances.

Similar to the pre-auth RCE bug announced today, CVE-2020-5902 allows unauthenticated attackers to run arbitrary system commands following successful exploitation.

Dragos security researchers reported in September that the Iranian-backed Pioneer Kitten hacking group started targeting enterprises that didn’t patch their BIG-IP devices starting with early-July 2020 after the flaw was announced.

Also Read: The Difference Between GDPR And PDPA Under 10 Key Issues

The malicious activity revealed by Dragos lined up with an August FBI Private Industry Notification also warning of Iranian state hackers attempting to exploit vulnerable Big-IP ADC devices since early July 2020.

CISA issued another advisory regarding China-sponsored hackers targeting government agencies by hunting down and trying to hack F5, Microsoft Exchange, Citrix, Pulse Secure devices and servers.

Enterprises with unpatched F5 BIG-IP ADCs face an even higher risk from financially motivated threat actors that might also deploy ransomware on compromised networks and steal credentials to access other network devices.