Overview
On 10th March 2021, F5 released a security advisory to address multiple vulnerabilities for BIG-IP – CVE-2021-22986, CVE-2021-22987, CVE-2021-22988, CVE-2021-22989, CVE-2021-22990, CVE-2021-22991, and CVE-2021-22992. Out of 7, 4 vulnerabilities are flagged as Critical, 2 rated as High and one rated as Medium in severity. Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code on the vulnerable BIG-IP system.
Below is the brief listing of the critical vulnerabilities.
CVE-2021-22986
This RCE (Remote Code Execution) vulnerability was found in the iControl REST interface with a CVE score of 9.8. This vulnerability allows unauthenticated attackers having network access to the iControl REST interface to execute an arbitrary code on the target system. This bug can only be exploited through the control plane.
CVE-2021-22987
Found in the Traffic Management User Interface (TMUI), also known as the Configuration Utility, and has the highest CVE score of 9.9. It allows authenticated users having network access to the Configuration utility to execute arbitrary code on the target system. This bug can only be exploited through the control plane.
CVE-2021-22991
A buffer overflow vulnerability was found in the Traffic Management Microkernel (TMM), with a CVE score of 9.0. TMM incorrectly handles the undisclosed requests to a virtual server, which could trigger a buffer overflow. Successful exploitations of this vulnerability could cause a denial-of-service, or bypass of URL-based access control, or RCE on the target system. This bug can only be exploited through the control plane.
CVE-2021-22992
This vulnerability was present in the ASM (Application Security Manager) virtual server, with a CVE score of 9.0. To exploit this vulnerability, the attacker must have control over the back-end web servers (pool members) or the ability to manipulate the server-side HTTP responses to the virtual server. Exploitation can only be possible through the data plane. Exploitation could result in a denial-of-service or RCE.
Below is a brief listing of high and medium severity vulnerabilities.
CVE-2021-22988 , CVE-2021-22989:
These high severity RCE vulnerabilities were found in the Traffic Management User Interface (TMUI), with CVE scores of 8.8, 8.0 respectively. This vulnerability allows authenticated users having network access to the Configuration utility to execute arbitrary code on the vulnerable system. Exploitation can only be possible through the data plane.
CVE-2021-22990:
This medium severity RCE vulnerability was found in the Traffic Management User Interface (TMUI), with a CVE score of 6.6. Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary code on the vulnerable system. Exploitation can only be possible through the control plane.
Fixed BIG-IP Versions:
BIG-IP 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3
Mitigation
1) CVE-2021-22986:
- Block iControl REST access through the self IP address
- Block iControl REST access through the management interface
2) CVE-2021-22987:
- Block Configuration utility access through self IP addresses
- Block Configuration utility access through the management interface
3) CVE-2021-22988: F5 has not provided mitigation for CVE-2021-22988.
4) CVE-2021-22989:
- Mitigate malicious connections using an iRule
- Modify Login Page configuration
- Harden pool members
- Remove login pages
5) CVE-2021-22990, CVE-2021-22991, and CVE-2021-22992:
- Block Configuration utility access through self IP addresses
- Block Configuration utility access through the management interface
Detection
Qualys customers can scan their network with QID 375344 to detect vulnerable assets.
Update: Qualys released QID 38833 : F5 BIG-IP ASM,LTM,APM Multiple vulnerabilities (K02566623) (unauthenticated check) to detect this issue remotely.
Kindly continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
- https://support.f5.com/csp/article/K02566623
- https://support.f5.com/csp/article/K03009991
- https://support.f5.com/csp/article/K18132488
- https://support.f5.com/csp/article/K56715231
- https://support.f5.com/csp/article/K52510511
- https://support.f5.com/csp/article/K70031188
- https://support.f5.com/csp/article/K45056101
- https://support.f5.com/csp/article/K56142644
- https://us-cert.cisa.gov/ncas/current-activity/2021/03/10/f5-security-advisory-rce-vulnerabilities-big-ip-big-iq