Multiple Critical Vulnerabilities in BIG-IP and BIG-IQ

Published on 11 Mar 2021

Updated on 14 Apr 2021

F5 Networks has released security updates to address four critical remote code execution (RCE) vulnerabilities affecting most BIG-IP and BIG-IQ software versions.

These vulnerabilities are:

CVE-2021-22986 —  Allows unauthenticated attackers with network access to the iControl REST interface, via BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services.

CVE-2021-22987 —  Allows authenticated users with network access to the Configuration utility, through the BIG-IP management port or self IP addresses, to execute arbitrary system commands, create or delete files, or disable services. 

CVE-2021-22991 — When undisclosed requests to a virtual server are handled incorrectly by the Traffic Management Microkernel (TMM), URI normalisation may trigger a buffer overflow, resulting in a Denial of Service (DoS) attack. Successful exploitation of this vulnerability could allow attackers to bypass URL-based access control or perform RCE.

CVE-2021-22992 — A malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. Successful exploitation of this vulnerability could allow attackers to perform RCE, leading to complete system compromise.

The following product versions are affected:

BIG-IP:
• 16.0.0 - 16.0.1
• 15.1.0 - 15.1.2
• 14.1.0 - 14.1.3
• 13.1.0 - 13.1.3
• 12.1.0 - 12.1.5

BIG-IQ Centralized Management:
• 7.0.0 - 7.1.0
• 6.0.0 - 6.1.0

Administrators of the affected versions are advised to upgrade to the latest product versions immediately.

References
https://support.f5.com/csp/article/K03009991
https://support.f5.com/csp/article/K18132488
https://support.f5.com/csp/article/K56715231
https://www.bleepingcomputer.com/news/security/f5-urges-customers-to-patch-critical-big-ip-pre-auth-rce-bug/