Security and automation vendor F5 has warned of seven patch-ASAP-grade vulnerabilities in its Big-IP network security and traffic-grooming products, plus another 14 vulns worth fixing.
Bugs concern on TMUI – the Traffic Management User Interface that users work with to drive F5 products – and they can be exploited to achieve remote code execution, denial of service attacks, or complete device takeovers; sometimes all three. The iControl REST API that F5 offers to automate its products is also problematic.
To kick off, there’s CVE-2021-22987, which scores a 9.9 on the ten-point CVSS scale of severity as it “allows authenticated users with network access to the Configuration utility, through the BIG-IP management port, or self IP addresses, to execute arbitrary system commands, create or delete files, or disable services.”.
At a mere 9.8 rating, CVE-2021-22986 “allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services.”
CVE-2021-22991 and CVE-2021-22992 each score mere 9.0 each.
The 22991 flaw, “undisclosed requests to a virtual server may be incorrectly handled by Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack.” Breaking URL based access control or allowing remote code execution (RCE) are other possible consequences.
The ‘22992 flaw is also a potential horror show. F5 says: “A malicious HTTP response to an Advanced WAF/ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise.”
The next on the list has an 8.8 CVSS rating, so is still very unpleasant. CVE-2021-22988 means that BIG-IP’s Traffic Management User Interface “has an authenticated remote command execution vulnerability in undisclosed pages.”
CVE-2021-22989 throttles back the horror with its 8.0 rating, but it allows “highly privileged authenticated users … to execute arbitrary system commands, create or delete files, or disable services.” Complete system compromise and breakout of Appliance mode are again possible.
The runt of the litter, with a 6.6 rating, is CVE-2021-22990.
Fixes are in if you upgrade BIG-IP to versions 126.96.36.199, 188.8.131.52, 14.1.4, 184.108.40.206, 220.127.116.11, and 18.104.22.168. CVE-2021-22986 impacts another F5 product, BIG-IQ, and can be fixed with an upgrade to versions 8.0.0, 22.214.171.124, and 126.96.36.199.