Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/11/2021
07:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

F5 Networks Urges Customers to Update to New Versions of Its App Delivery Tech

F5 BIG-IP and BIG-IQ have multiple critical vulnerabilities that enable attackers to completely compromise systems.

Enterprise organizations using F5 Networks' BIG-IP and BIG-IQ application delivery technologies are being urged to immediately update their systems to address multiple critical vulnerabilities in the products.

Several of the vulnerabilities enable remote attackers to take complete control of the systems to execute malicious code, disable services, create or delete files, and take other malicious actions.

Related Content:

BIG-IP Vulnerabilities Could be Big Trouble for Customers

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Does XDR Mark the Spot? 6 Questions to Ask

"Unlike previous notable F5 exploits, not all of these can be easily hand-waved away by restricting external access to the administrative interfaces known as the 'control plane,'" says Justin Rhinehart, senior analyst at Bishop Fox. Two critical exploits disclosed this week affect the so-called data plane, which is the part responsible for handing any and all traffic going through the BIG-IP platform, he says. The only way to mitigate these exploits is by patching.

In a worst-case scenario, Rhinehart says, an attacker can use a vulnerable F5 BIG-IP appliance to break into the broader enterprise network.  

"Remote command execution in a location with such privileged access is absolutely the stuff of nightmares," he says, "Attackers can use these devices to gain a foothold on a victim's network [and] attack sensitive targets that are not usually accessible from the outside world."

F5 Networks on Wednesday disclosed four critical vulnerabilities in BIG-IP 11.6 or 12.x and newer — one of which also impacted versions 6.x and 7.x of the company's BIG-IQ centralized management technology. In addition, F5 announced seven high severity bugs and 10 medium security issues impacting BIG-IP and BIG-IQ — technologies that many enterprise organizations use for a range of application delivery services, such as access control, load balancing, and app security. The company has released patches for all disclosed issues.

In a blog, F5 networks describes the vulnerabilities as impacting all BIG-IP and BIG-IQ customers and instances. The vendor urges customers to update their installations of these technologies to the fixed versions as quickly as possible. It was a sentiment echoed by the Department of Homeland Security's Cybersecurity and Information Security Agency (CISA) in an advisory Wednesday.

"CISA encourages users and administrators review the F5 advisory and install updated software as soon as possible," the agency said.

Last June, CISA warned that F5 Networks' BIG-IP technology presented a big target for attackers because of the access these devices provide to enterprise networks. At that time, the agency was responding to reports about attackers actively exploiting another critical vulnerability in BIG-IP that, like the latest batch of bugs, allowed for complete system compromise.

Critical Impact
The four critical vulnerabilities that F5 Networks announced this week are an unauthenticated remote command execution (RCE) vulnerability in BIG-IP iControl REST interface (CVE-2021-22986); a similar RCE vulnerability in the Traffic Management User Interface (CVE-2021-22987); a buffer-overflow bug in the technology's Traffic Management Microkernel (CVE-2021-22991); and an advanced WAF/ASM buffer-overflow vulnerability (CVE-2021-22992).

All four of the critical flaws have a severity rating of 9 or more, indicating they are considered as highly critical. Two of the bugs allow remote attackers to execute arbitrary system commands and to delete or create files and disable critical service. One of flaws (CVE-2021-22987) gives attackers a way to trigger a total system compromise, and the fourth (CVE-2021-22992) enables attackers to execute denial-of-service attacks.

Rhinehart says vulnerabilities are critical because the BIG-IP platform is meant to control all data entering and exiting a network.

"Unauthenticated remote code execution against any application is scary enough, but their importance, location in the network, and prevalence [of BIG-IP] really takes this one to the next level," he says.

For organizations with the impacted technologies, the RCE flaw in the iControl REST Interface likely poses the biggest immediate threat because of the relative ease with which it can be exploited, Rhinehart says.

"In the weeks and months to come, the two vulnerabilities affecting the data plane [CVE-2021-22991 and CVE-2021-22992] become more and more of a concern as people dig deeper into how they work and write advanced exploits that may allow for remote code executions," he explains.

Companies that cannot immediately update to the latest patched versions F5 announced this week should disable access to the iControl REST interface, though this can be tricky, Rhinehart adds. He recommends organizations that are unsure about how to do this should refer to F5 Networks' guidance on the topic.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...