Security

F5 addresses critical vulnerabilities in BIG-IP and BIG-IQ

Security firm F5 announced the availability of patches for seven vulnerabilities in BIG-IP, four of which have been rated as “critical” severity.

BIG-IP product family includes hardware, modularized software, and virtual appliances that run the F5 TMOS operating system and provides load balancing, firewall, access control, threat protection capabilities.

The vendor has released security updates for seven vulnerabilities in BIG-IP products, four have been rated as critical severity, two other issues have been rated high and one medium severity.

“As part of our ongoing security vulnerability management practices, today F5 announced several vulnerabilities and fixes for both BIG-IP and BIG-IQ.” states F5. “The bottom line is that they affect all BIG-IP and BIG-IQ customers and instances—we urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible.”

The critical vulnerabilities, tracked as CVE-2021-22986, CVE-2021-22987, CVE-2021-22991, CVE-2021-22992, affect BIG-IP versions 11.6 or 12.x and newer. The CVE-2021-22986 flaw also affects BIG-IQ versions 6.x and 7.x.

The most severe flaw is remote code execution vulnerability, tracked as CVE-2021-22987, that resides in the the Traffic Management User Interface (TMUI). The vulnerability received a CVSS score of 9.9.

“When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.” reads the advisory published by F5. “This vulnerability allows authenticated users with network access to the Configuration utility, through the BIG-IP management port, or self IP addresses, to execute arbitrary system commands, create or delete files, or disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise and breakout of Appliance mode.”

Another critical flaw, tracked as CVE-2021-22986 is an unauthenticated remote command execution vulnerability that resides in the iControl REST interface. The flaw received a CVSS score of 9.8 and affects BIG-IP and BIG-IQ.

The vulnerability could be exploited by unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services.

“This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable.” reads the advisory.

The two high severity flaw addressed by F5 are CVE-2021-22988 (CVSS score of 8.8) and CVE-2021-22989 (CVSS score of 8.0), while the one rated as medium risk is tracked as CVE-2021-22990 (CVSS score of 6.6).

F5 also addressed 14 additional vulnerabilities, five high severity and nine medium risk.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BIG-IP)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

12 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

18 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.