F5 addressed a flaw in BIG-IP devices rated as critical severity under specific conditions

F5 has addressed more than a dozen severe vulnerabilities in its BIG-IP networking device, including one rated as critical severity under specific conditions.

Security vendor F5 has addressed more than a dozen high-severity vulnerabilities in its BIG-IP networking device, including an issue that was considered as critical severity when exploited under specific conditions.

The flaw, tracked as CVE-2021-23031, is a privilege escalation issue on BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) Traffic Management User Interface (TMUI).

An authenticated attacker with access to the Configuration utility can trigger the flaw to execute arbitrary system commands, create or delete files, and/or disable services. The issue could allow an attacker to completely compromise the network device.

The flaw received a severity score of 8.8, but according to the security advisory, for customers using the Appliance Mode, which applies some technical restrictions, the severity score raises to 9.9 out of 10.

According to the security advisory for CVE-2021-23031, only a limited number of customers are impacted by the issue in a critical mode.

“When this vulnerability is exploited, an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services. This vulnerability may result in complete system compromise.” reads the advisory. “The limited number of customers using Appliance mode have Scope: Changed, which raises the CVSSv3 score to 9.9. For information about Appliance mode, refer to K12815: Overview of Appliance mode.”

The vendor recommends updating the device, where it is not possible admins should limit access to the Configuration utility only to completely trusted users.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released a security advisory encouraging users and administrators to review the F5 security advisory and install updated software or apply the necessary mitigations as soon as possible.

F5 addressed high-severity 30 vulnerabilities in multiple products, they include authenticated remote command execution flaws, cross-site scripting (XSS) issues, request forgery bugs, along insufficient permission and denial-of-service flaws.

The flaws received a severity score between 7.2 and 7.5. Below is the list of issues fixed by the vendor:

CVE / Bug ID	Severity	CVSS score	Affected products	Affected versions	Fixes introduced in
CVE-2021-23025	High	7.2	BIG-IP (all modules)	15.0.0 – 15.1.0 14.1.0 – 14.1.3 13.1.0 – 13.1.3 12.1.0 – 12.1.6 11.6.1 – 11.6.5	16.0.0 15.1.0.5 14.1.3.1 13.1.3.5
CVE-2021-23026	High	7.5	BIG-IP (all modules)	16.0.0 – 16.0.1 15.1.0 – 15.1.2 14.1.0 – 14.1.4 13.1.0 – 13.1.4 12.1.0 – 12.1.6 11.6.1 – 11.6.5	16.1.0 16.0.1.2 15.1.3 14.1.4.2 13.1.4.1
BIG-IQ	8.0.0 – 8.1.0 7.0.0 – 7.1.0 6.0.0 – 6.1.0	None
CVE-2021-23027	High	7.5	BIG-IP (all modules)	16.0.0 – 16.0.1 15.1.0 – 15.1.2 14.1.0 – 14.1.4	16.1.0 16.0.1.2 15.1.3.1 14.1.4.3
CVE-2021-23028	High	7.5	BIG-IP (Advanced WAF, ASM)	16.0.0 – 16.0.1 15.1.0 – 15.1.3 14.1.0 – 14.1.4 13.1.0 – 13.1.3	16.1.0 16.0.1.2 15.1.3.1 14.1.4.2 13.1.4
CVE-2021-23029	High	7.5	BIG-IP (Advanced WAF, ASM)	16.0.0 – 16.0.1	16.1.0 16.0.1.2
CVE-2021-23030	High	7.5	BIG-IP (Advanced WAF, ASM)	16.0.0 – 16.0.1 15.1.0 – 15.1.3 14.1.0 – 14.1.4 13.1.0 – 13.1.4 12.1.0 – 12.1.6	16.1.0 16.0.1.2 15.1.3.1 14.1.4.3 13.1.4.1
CVE-2021-23031	High–Critical – Appliance mode only	8.8–9.9	BIG-IP (Advanced WAF, ASM)	16.0.0 – 16.0.1 15.1.0 – 15.1.2 14.1.0 – 14.1.4 13.1.0 – 13.1.3 12.1.0 – 12.1.5 11.6.1 – 11.6.5	16.1.0 16.0.1.2 15.1.3 14.1.4.1 13.1.4 12.1.6 11.6.5.3
CVE-2021-23032	High	7.5	BIG-IP (DNS)	16.0.0 – 16.0.1 15.1.0 – 15.1.3 14.1.0 – 14.1.4 13.1.0 – 13.1.4 12.1.0 – 12.1.6	16.1.0 15.1.3.1 14.1.4.4
CVE-2021-23033	High	7.5	BIG-IP (Advanced WAF, ASM)	16.0.0 – 16.0.1 15.1.0 – 15.1.3 14.1.0 – 14.1.4 13.1.0 – 13.1.4 12.1.0 – 12.1.6	16.1.0 15.1.3.1 14.1.4.3 13.1.4.1
CVE-2021-23034	High	7.5	BIG-IP (all modules)	16.0.0 – 16.0.1 15.1.0 – 15.1.3	16.1.0 15.1.3.1
CVE-2021-23035	High	7.5	BIG-IP (all modules)	14.1.0 – 14.1.4	14.1.4.4
CVE-2021-23036	High	7.5	BIG-IP (Advanced WAF, ASM, DataSafe)	16.0.0 – 16.0.1	16.1.0 16.0.1.2
CVE-2021-23037	High	7.5	BIG-IP (all modules)	16.0.0 – 16.1.0 15.1.0 – 15.1.3 14.1.0 – 14.1.4 13.1.0 – 13.1.4 12.1.0 – 12.1.6 11.6.1 – 11.6.5	None

The vendor also fixed medium and low severity vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, F5 BIG-IP)

[adrotate banner=”5″]

[adrotate banner=”13″]