Network admins with certain app delivery controllers and central management devices from F5 Networks are urged to install the latest security updates after the discovery of seven vulnerabilities, four of which are rated as critical.
In an alert issued March 11 the company said all of the vulnerabilities are in BIG-IP versions 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3. One affects BIG-IQ versions 8.0.0, 7.1.0.3, and 7.0.0.2.
“We urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible,” executive vice-president Kara Sprague wrote in a March 10 blog post.
Those who can’t update systems immediately should apply mitigations in security advisories while developing a plan to complete the updates. Additional resources are available at the F5 vulnerability response site.
UPDATE: On March 19th the company said it has started seeing attackers trying to exploit the vulnerabilities.
The vulnerabilities are:
- K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986The iControl REST interface has an unauthenticated remote command execution vulnerability. CVSS score: 9.8 (Critical);
- K18132488: Appliance Mode TMUI authenticated remote command execution vulnerability CVE-2021-22987When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. CVSS score: 9.9 (Critical);
- K70031188: TMUI authenticated remote command execution vulnerability CVE-2021-22988TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. CVSS score: 8.8 (High);
- K56142644: Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989When running in Appliance mode with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. CVSS score: 8.0 (High);
- K45056101: Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22990On systems with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. CVSS score: 6.6 (Medium);
- K56715231: TMM buffer-overflow vulnerability CVE-2021-22991Undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE). CVSS score: 9.0 (Critical);
- K52510511: Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992A malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise. CVSS score: 9.0 (Critical).
Security researchers note that it doesn’t take long after a vendor announces a serious vulnerability for attackers to try to exploit unpatched devices.