BIG-IP F5 has fixed more than a dozen high-severity vulnerabilities part of its monthly patch delivery cycle in its networking device, one of them being elevated to critical severity under specific conditions.

Out of thirteen high-severity flaws that F5 fixed, one becomes critical in a configuration designed to meet the needs of customers in especially sensitive sectors and could lead to complete system compromise.

The issue is now tracked as CVE-2021-23031 and affects BIG-IP modules Advanced WAF and the ASM, specifically the Traffic Management User Interface (TMUI). A privilege escalation with an 8.8 severity score that can be exploited by an authenticated attacker with access to the Configuration utility to run arbitrary system commands, which could lead to complete system compromise.

F5’s security advisory for CVE-2021-23031 does not provide many details on why there are two severity ratings but notes that there is a “limited number of customers” that are impacted by the critical variant of the bug unless they install the updated version or apply mitigations. If updating the devices is not possible, F5 says that the only way to defend against possible exploitation is to limit access to the Configuration utility only to completely trusted users.

Except for CVE-2021-23031, the dozen high-severity security bugs that F5 addressed this month come with risk scores between 7.2 and 7.5. Half of them affect all modules, five impact the Advanced WAF and ASM, and one affects the DNS module. The flaws range from authenticated remote command execution to cross-site scripting (XSS) and request forgery, to insufficient permission and denial-of-service.

CVE / Bug IDSeverityCVSS scoreAffected products
CVE-2021-23025High7.2BIG-IP (all modules)
CVE-2021-23026High7.5BIG-IP (all modules)
CVE-2021-23027High7.5BIG-IP (all modules)
CVE-2021-23028High7.5BIG-IP (Advanced WAF, ASM)
CVE-2021-23029High7.5BIG-IP (Advanced WAF, ASM)
CVE-2021-23030High7.5BIG-IP (Advanced WAF, ASM)
CVE-2021-23031High8.8BIG-IP (Advanced WAF, ASM)
CVE-2021-23032High7.5BIG-IP (DNS)
CVE-2021-23033High7.5BIG-IP (Advanced WAF, ASM)
CVE-2021-23034High7.5BIG-IP (all modules)
CVE-2021-23035High7.5BIG-IP (all modules)
CVE-2021-23036High7.5BIG-IP (Advanced WAF, ASM, Data Safe)
CVE-2021-23037High7.5BIG-IP (all modules)
Critical Vulnerabilities Patched