F5 Networks has published patches to address vulnerabilities in its BIG-IP products, four of which were rated as critical in severity. According to the security advisory, the following vulnerability affects BIG-IP applications used in enterprise-grade and modular software suites designed for data and app delivery, load balancing, traffic management, and other business functions. The vulnerabilities can be exploited to achieve remote code execution, denial of service attacks, and/or complete device takeovers.

___________________________________

A. Nature of the Vulnerabilities

The following vulnerabilities were tracked as:

CVE-2021-22986, the iControl REST interface an unauthenticated remote command execution vulnerability that can allows unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and/or disable services.

CVE-2021-22987, the Traffic Management User Interface (TMUI) running in Appliance mode has an authenticated remote command execution vulnerability in undisclosed pages that can  allow authenticated users with network access to the Configuration utility, through the BIG-IP management port, or self IP addresses, to execute arbitrary system commands, create or delete files, or disable services.

CVE-2021-22991, undisclosed requests to a virtual server may be incorrectly handled by Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack that may theoretically allow the bypass of URL based access control or remote code execution (RCE).

CVE-2021-22992, a malicious HTTP response to an Advanced WAF/ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a Denial-of-Service (DoS) attack. It may also allow remote code execution that may lead to complete system compromise.

___________________________________

B. List of Vulnerable Systems

Vulnerable BIG-IP Product are as follows:

BIG-IP (All Modules) version:

• 16.0.0 – 16.0.1
• 15.1.0 – 15.1.2
• 14.1.0 – 14.1.3.1
• 13.1.0 – 13.1.3.5
• 12.1.0 – 12.1.5.2
• 11.6.1 – 11.6.5.2

BIG-IQ version:

• 7.1.0 – 7.1.0.2
• 7.0.0 – 7.0.0.1
• 6.0.0 – 6.1.0

BIG-IP Advanced WAF/ASM version:

• 16.0.0 – 16.0.1
• 15.1.0 – 15.1.2
• 14.1.0 – 14.1.3.1
• 13.1.0 – 13.1.3.5
• 12.1.0 – 12.1.5.2
• 11.6.1 – 11.6.5.2

___________________________________

C. Actions to be Taken

CERT-PH recommends the following actions be taken:

Immediately test and apply the corresponding patched versions of the affected BIG-IP products from the F5 Security Advisory (https://support.f5.com/csp/article/K02566623)

___________________________________

Updates: