F5 Networks & US CISA Warn of Critical BIG-IP & BIG-IQ RCE Bugs!

F5 Networks & US CISA Warn of Critical BIG-IP & BIG-IQ RCE Bugs!

F5 Networks is warning users to patch 4 critical remote command execution (RCE) flaws in its BIG-IP and BIG-IQ enterprise networking infrastructure. If exploited, the flaws could allow attackers to take full control over a vulnerable system.

The F5 issues could affect the networking infrastructure for some of the largest tech & ‘Fortune 500’ companies – including Microsoft, Oracle & Facebook.

Advisory

The company released an advisory, Wed., on 7 bugs in total, with 2 others rated as high risk & 1 rated as medium risk, respectively. “We strongly encourage all customers to update their BIG-IP & BIG-IQ systems to a fixed version as soon as possible,” the company advised on its website.

The situation is particularly urgent as F5 provides enterprise networking to some of the largest tech companies in the world, including Facebook, Microsoft & Oracle, as well as to a trove of Fortune 500 companies, including some of the world’s biggest financial institutions & ISPs.

The US Cybersecurity & Infrastructure Agency (CISA) also urged companies using BIG-IP & BIG-IQ to fix 2 of the critical vulnerabilities, which are being tracked as CVE-2021-22986 & CVE-2021-22987.

Unauthenticated Remote Command

The former, with a CVSS rating of 9.8, is an unauthenticated remote command execution vulnerability in the iControl REST interface, according to a detailed breakdown of the bugs in F5’s Knowledge Centre.

The latter, with a CVSS rating of 9.9, affects the infrastructure’s Traffic Management User Interface (TMUI), also referred to as the Configuration utility. When running in Appliance mode, the TMUI has an authenticated RCE vulnerability in undisclosed pages, according to F5.

Critically Rated Vulnerabilities

The 2 other critically rated vulnerabilities are being tracked as CVE-2021-22991 & CVE-2021-22992.

The 1st, with a CVSS score of 9.0, is a buffer overflow vulnerability that can be triggered when “undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalisation,” according to F5.

Denial-of-Service

This can result in a denial-of-service (DoS) attack, that, in some situations, “may theoretically allow bypass of URL based access control or remote code execution (RCE),” the company warned.

CVE-2021-22992 is also a buffer overflow bug with a CVSS rating of 9. This flaw can be triggered by “a malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy,” according to F5. It also may allow for RCE & “complete system compromise” in some situations, the company warned.

F5’s Update this Week

The other 3 non-critical bugs being patched in F5’s update this week are CVE-2021-22988CVE-2021-22989 & CVE-2021-22990.

CVE-2021-22988, with a CVSS score of 8.8, is an authenticated RCE that also affects TMUI. CVE-2021-22989, with a CVSS rating of 8.0, is another authenticated RCE that also affects TMUI in Appliance mode, this time when Advanced WAF or BIG-IP ASM are provisioned.

Also, CVE-2021-2290, with a CVSS score of 6.6, is a similar but less dangerous vulnerability that exists in the same scenario, according to F5.

Critical Bugs

F5 is no stranger to critical bugs in its enterprise networking products. In July, the vendor & other security experts—including US Cyber Command—urged companies to deploy an urgent patch for a critical RCE vulnerability in BIG-IP’s app delivery controllers that was being actively exploited by attackers to scrape credentials, launch malware & more.

That bug, (CVE-2020-5902), had a CVSS rating of 10 out of 10. However, a delay in patching at the time left systems exposed to the flaw for weeks after F5 released the fix.

https://www.cybernewsgroup.co.uk/virtual-conference-april-2021/

 

SHARE ARTICLE