F5, CISA Warn of Critical BIG-IP and BIG-IQ RCE Bugs

F5 security vulnerability

The F5 flaws could affect the networking infrastructure for some of the largest tech and Fortune 500 companies – including Microsoft, Oracle and Facebook.

F5 Networks is warning users to patch four critical remote command execution (RCE) flaws in its BIG-IP and BIG-IQ enterprise networking infrastructure. If exploited, the flaws could allow attackers to take full control over a vulnerable system.

The company released an advisory, Wednesday, on seven bugs in total, with two others rated as high risk and one rated as medium risk, respectively. “We strongly encourage all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible,” the company advised on its website.

The scenario is particularly urgent as F5 provides enterprise networking to some of the largest tech companies in the world, including Facebook, Microsoft and Oracle, as well as to a trove of Fortune 500 companies, including some of the world’s biggest financial institutions and ISPs.

The U.S. Cybersecurity and Infrastructure Agency (CISA) also urged companies using BIG-IP and BIG-IQ to fix two of the critical vulnerabilities, which are being tracked as CVE-2021-22986 and CVE-2021-22987.

The former, with a CVSS rating of 9.8, is an unauthenticated remote command execution vulnerability in the iControl REST interface, according to a detailed breakdown of the bugs in F5’s Knowledge Center. The latter, with a CVSS rating of 9.9, affects the infrastructure’s Traffic Management User Interface (TMUI), also referred to as the Configuration utility. When running in Appliance mode, the TMUI has an authenticated RCE vulnerability in undisclosed pages, according to F5.

The two other critically rated vulnerabilities are being tracked as CVE-2021-22991 and CVE-2021-22992. The first, with a CVSS score of 9.0, is a buffer overflow vulnerability that can be triggered when “undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization,” according to F5. This can result in a denial-of-service (DoS) attack, that, in some situations, “may theoretically allow bypass of URL based access control or remote code execution (RCE),” the company warned.

CVE-2021-22992 is also a buffer overflow bug with a CVSS rating of 9. This flaw can be triggered by “a malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy,” according to F5. It also may allow for RCE and “complete system compromise” in some situations, the company warned.

The other three non-critical bugs being patched in F5’s update this week are CVE-2021-22988, CVE-2021-22989 and CVE-2021-22990.

CVE-2021-22988, with a CVSS score of 8.8, is an authenticated RCE that also affects TMUI. CVE-2021-22989, with a CVSS rating of 8.0, is another authenticated RCE that also affects TMUI in Appliance mode, this time when Advanced WAF or BIG-IP ASM are provisioned. And CVE-2021-2290, with a CVSS score of 6.6, is a similar but less dangerous vulnerability that exists in the same scenario, according to F5.

F5 is no stranger to critical bugs in its enterprise networking products. In July, the vendor and other security experts—including U.S. Cyber Command—urged companies to deploy an urgent patch for a critical RCE vulnerability in BIG-IP’s app delivery controllers that was being actively exploited by attackers to scrape credentials, launch malware and more. That bug, (CVE-2020-5902), had a CVSS rating of 10 out of 10. Moreover, a delay in patching at the time left systems exposed to the flaw for weeks after F5 released the fix.

Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:

Suggested articles