F5 Releases Critical Security Patches for BIG-IP and BIG-IQ Devices

Cyber Security

Enterprise security and network appliance vendor F5 has released patches for more than two dozen security vulnerabilities affecting multiple versions of BIG-IP and BIG-IQ devices that could potentially allow an attacker to perform a wide range of malicious actions, including accessing arbitrary files, escalating privileges, and executing JavaScript code.

Of the 29 bugs addressed, 13 are high-severity flaws, 15 are rated medium, and one is rated low in severity.

Chief among them is CVE-2021-23031 (CVSS score: 8.8), a vulnerability affecting BIG-IP Advanced Web Application Firewall and BIG-IP Application Security Manager that allows an authenticated user to perform a privilege escalation.

“When this vulnerability is exploited, an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services. This vulnerability may result in complete system compromise,” F5 said in its advisory.

It’s worth noting that for customers running the device in Appliance Mode, which applies additional technical restrictions in sensitive sectors, the same vulnerability comes with a critical rating of 9.9 out of 10. “As this attack is conducted by legitimate, authenticated users, there is no viable mitigation that also allows users access to the Configuration utility. The only mitigation is to remove access for users who are not completely trusted,” the company said.

The other major vulnerabilities resolved by F5 are listed below –

  • CVE-2021-23025 (CVSS score: 7.2) – Authenticated remote command execution vulnerability in BIG-IP Configuration utility
  • CVE-2021-23026 (CVSS score: 7.5) – Cross-site request forgery (CSRF) vulnerability in iControl SOAP
  • CVE-2021-23027 and CVE-2021-23037 (CVSS score: 7.5) – TMUI DOM-based and reflected cross-site scripting (XSS) vulnerabilities
  • CVE-2021-23028 (CVSS score: 7.5) – BIG-IP Advanced WAF and ASM vulnerability
  • CVE-2021-23029 (CVSS score: 7.5) – BIG-IP Advanced WAF and ASM TMUI vulnerability
  • CVE-2021-23030 and CVE-2021-23033 (CVSS score: 7.5) – BIG-IP Advanced WAF and ASM Websocket vulnerabilities
  • CVE-2021-23032 (CVSS score: 7.5) – BIG-IP DNS vulnerability
  • CVE-2021-23034, CVE-2021-23035, and CVE-2021-23036 (CVSS score: 7.5) – Traffic Management Microkernel vulnerabilities

Additionally, F5 has also patched a number of flaws that range from directory traversal vulnerability and SQL injection to open redirect vulnerability and cross-site request forgery, as well as a MySQL database flaw that results in the database consuming more storage space than expected when brute-force protection features of the firewall are enabled.

With F5 devices often becoming juicy targets for active exploitation attempts by threat actors, it’s highly recommended that users and administrators install updated software or apply the necessary mitigations as soon as possible.