F5 Bug Could Lead to Complete System Takeover

The worst of 13 bugs fixed by the August updates could lead to complete system compromise for users in sensitive sectors running products in Appliance mode.

Application delivery and networking firm F5 released a baker’s dozen of 13 fixes for high-severity bugs, including one that could lead to complete system takeover and hence is boosted to “critical” for customers that run BIG-IP in Appliance Mode, given that an attacker that holds valid credentials can bypass Appliance Mode restrictions.

F5 – maker of near-ubiquitously installed enterprise networking gear – released nearly 30 vulnerabilities for multiple devices in its August security updates.

The worst of the bunch is tracked as CVE-2021-23031 and affects BIG-IP modules Advanced WAF (Web Application Firewall) and the Application Security Manager (ASM) – specifically, the Traffic Management User Interface (TMUI).

Infosec Insiders Newsletter

F5 said that when the vulnerability is exploited, “an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services,” potentially leading to “complete system compromise.”

CVE-2021-23031 normally entails a high rating of 8.8 severity, but that gets jacked up to 9.9 for just those customers that are using Appliance mode. The Appliance mode adds technical restrictions and is designed to meet the needs of customers in “especially sensitive sectors” by “limiting the BIG-IP system administrative access to match that of a typical network appliance and not a multi-user UNIX device.”

F5 lists a number of products that contain the affected code but aren’t vulnerable, given that attackers can’t exploit the code in default, standard or recommended configurations. F5 noted that there are a limited number of customers using it in the mode – i.e., Appliance mode – that elevates the vulnerability’s CVSSv3 severity score to 9.9 (critical).

No Viable Mitigation

F5 said that there’s “no viable mitigation” that also allows users access to the Configuration utility, given that this attack can be pulled off by legitimate, authenticated users. The only way to mitigate is to pull the access of any users who aren’t “completely trusted,” according to the advisory.

Customers who can’t install a fixed version right off the bat can use the following temporary mitigations, which restrict access to the Configuration utility to only trusted networks or devices and thereby limit the attack surface:

Michael Haugh, Vice President at network automation provider Gluware, told Threatpost that known vulnerabilities are challenging to respond to quickly or to mitigate speedily: As it is, network operation crews are “under the gun to keep the network highly available, secure and delivering the required performance for the business applications,” he said. “Vendor vulnerabilities that require an OS Upgrade or patch can be very labor-intensive and potentially disruptive.”

Via email, Haugh observed that when it comes to a load balancer like F5, redundancy “must be part of the device” and traffic “must be re-directed off an active device, taking it out of service to perform an upgrade.”

Not just once, mind you, but, often, multiple times: “This process often has to be repeated over dozens or even hundreds of devices depending on the organization. Having automated processes to pre-check, stage the image, gracefully execute the upgrades and complete post-checks can significantly improve the ability for NetOps to respond and execute a low-risk upgrade.”

The Other Dozen Bugs

Besides the critical CVE-2021-23031 flaw, the dozen high-severity security bugs addressed in this month’s patch release and listed in the table below have risk scores of between 7.2 and 7.5. The flaws include authenticated remote command execution (RCE), cross-site scripting (XSS) and request forgery, as well as insufficient permission and denial-of-service (DOS).

Half of them affect all modules, five impact the Advanced WAF and ASM, and one affects the DNS module.

CVE / Bug ID Severity CVSS score Affected products Affected versions Fixes introduced in
CVE-2021-23025 High 7.2 BIG-IP (all modules) 15.0.0 – 15.1.0
14.1.0 – 14.1.3
13.1.0 – 13.1.3
12.1.0 – 12.1.6
11.6.1 – 11.6.5
16.0.0
15.1.0.5
14.1.3.1
13.1.3.5
CVE-2021-23026 High 7.5 BIG-IP (all modules) 16.0.0 – 16.0.1
15.1.0 – 15.1.2
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5
16.1.0
16.0.1.2
15.1.3
14.1.4.2
13.1.4.1
BIG-IQ 8.0.0 – 8.1.0
7.0.0 – 7.1.0
6.0.0 – 6.1.0
None
CVE-2021-23027 High 7.5 BIG-IP (all modules) 16.0.0 – 16.0.1
15.1.0 – 15.1.2
14.1.0 – 14.1.4
16.1.0
16.0.1.2
15.1.3.1
14.1.4.3
CVE-2021-23028 High 7.5 BIG-IP (Advanced WAF, ASM) 16.0.0 – 16.0.1
15.1.0 – 15.1.3
14.1.0 – 14.1.4
13.1.0 – 13.1.3
16.1.0
16.0.1.2
15.1.3.1
14.1.4.2
13.1.4
CVE-2021-23029 High 7.5 BIG-IP (Advanced WAF, ASM) 16.0.0 – 16.0.1 16.1.0
16.0.1.2
CVE-2021-23030 High 7.5 BIG-IP (Advanced WAF, ASM) 16.0.0 – 16.0.1
15.1.0 – 15.1.3
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
16.1.0
16.0.1.2
15.1.3.1
14.1.4.3
13.1.4.1
CVE-2021-23031 High

Critical – Appliance mode only

8.8

9.9

BIG-IP (Advanced WAF, ASM) 16.0.0 – 16.0.1
15.1.0 – 15.1.2
14.1.0 – 14.1.4
13.1.0 – 13.1.3
12.1.0 – 12.1.5
11.6.1 – 11.6.5
16.1.0
16.0.1.2
15.1.3
14.1.4.1
13.1.4
12.1.6
11.6.5.3
CVE-2021-23032 High 7.5 BIG-IP (DNS) 16.0.0 – 16.0.1
15.1.0 – 15.1.3
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
16.1.0
15.1.3.1
14.1.4.4
CVE-2021-23033 High 7.5 BIG-IP (Advanced WAF, ASM) 16.0.0 – 16.0.1
15.1.0 – 15.1.3
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
16.1.0
15.1.3.1
14.1.4.3
13.1.4.1
CVE-2021-23034 High 7.5 BIG-IP (all modules) 16.0.0 – 16.0.1
15.1.0 – 15.1.3
16.1.0
15.1.3.1
CVE-2021-23035 High 7.5 BIG-IP (all modules) 14.1.0 – 14.1.4 14.1.4.4
CVE-2021-23036 High 7.5 BIG-IP (Advanced WAF, ASM, DataSafe) 16.0.0 – 16.0.1 16.1.0
16.0.1.2
CVE-2021-23037 High 7.5 BIG-IP (all modules) 16.0.0 – 16.1.0
15.1.0 – 15.1.3
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5
None

CISA Security Advisory

The Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory encouraging users and admins to review F5’s security advisory and to update the software or to apply mitigations ASAP.

“Don’t delay” is, of course, good advice when it comes to F5 equipment, given that the company’s enterprise networking can be found in some of the largest tech companies in the world, including Facebook, Microsoft and Oracle. It’s also found in the halls of a trove of Fortune 500 companies, including some of the world’s biggest financial institutions and ISPs.

F5: Prime Pickings for Pests

All that gear is also gleefully picked apart by attackers. Case in point: CVE 2020-5902, a critical vulnerability in F5 Networks’ BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware and more, was recently featured in CISA’s list of top 30 bugs “routinely” exploited in 2020 and into this year.

Jonathan Chua, application security consultant at app security provider nVisium, noted that F5 Big IP has been targeted by security researchers and adversaries due to the product’s vulnerable, external nature. “Several F5 application services can be hosted externally, allowing any internet user to attempt to connect to the service,” he told Threatpost on Thusday. “Due to the ease of accessibility and the amount of publicly known vulnerabilities associated with F5 applications, the service becomes a prime target for adversaries to break into a company’s network via the external perimeter.”

He pointed to  the F5 Traffic Management User Interface (TMUI), which is being actively exploited, as one example. The service is often available on a company’s external perimeter and contains a critical RCE vulnerability, he noted. “As a result, if the service is exploited, such service may provide external attackers an initial foothold in a company’s internal network,” Chua said in an email.

082621 13:48 UPDATE: Added input from Jonathan Chua and Michael Haugh.

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles