F5 addresses critical vulnerabilities in BIG-IP and BIG-IQ

Security firm F5 announced the availability of patches for seven vulnerabilities in BIG-IP, four of which have been rated as “critical” severity.

BIG-IP product family includes hardware, modularized software, and virtual appliances that run the F5 TMOS operating system and provides load balancing, firewall, access control, threat protection capabilities.

The vendor has released security updates for seven vulnerabilities in BIG-IP products, four have been rated as critical severity, two other issues have been rated high and one medium severity.

“As part of our ongoing security vulnerability management practices, today F5 announced several vulnerabilities and fixes for both BIG-IP and BIG-IQ.” states F5. “The bottom line is that they affect all BIG-IP and BIG-IQ customers and instances—we urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible.”

The critical vulnerabilities, tracked as CVE-2021-22986, CVE-2021-22987, CVE-2021-22991, CVE-2021-22992, affect BIG-IP versions 11.6 or 12.x and newer. The CVE-2021-22986 flaw also affects BIG-IQ versions 6.x and 7.x.

The most severe flaw is remote code execution vulnerability, tracked as CVE-2021-22987, that resides in the the Traffic Management User Interface (TMUI). The vulnerability received a CVSS score of 9.9.

“When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.” reads the advisory published by F5. “This vulnerability allows authenticated users with network access to the Configuration utility, through the BIG-IP management port, or self IP addresses, to execute arbitrary system commands, create or delete files, or disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise and breakout of Appliance mode.”

Another critical flaw, tracked as CVE-2021-22986 is an unauthenticated remote command execution vulnerability that resides in the iControl REST interface. The flaw received a CVSS score of 9.8 and affects BIG-IP and BIG-IQ.

The vulnerability could be exploited by unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services.

“This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable.” reads the advisory.

The two high severity flaw addressed by F5 are CVE-2021-22988 (CVSS score of 8.8) and CVE-2021-22989 (CVSS score of 8.0), while the one rated as medium risk is tracked as CVE-2021-22990 (CVSS score of 6.6).

F5 also addressed 14 additional vulnerabilities, five high severity and nine medium risk.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BIG-IP)

[adrotate banner=”5″]

[adrotate banner=”13″]