F5 addressed a flaw in BIG-IP devices rated as critical severity under specific conditions

Pierluigi Paganini August 25, 2021

F5 has addressed more than a dozen severe vulnerabilities in its BIG-IP networking device, including one rated as critical severity under specific conditions.

Security vendor F5 has addressed more than a dozen high-severity vulnerabilities in its BIG-IP networking device, including an issue that was considered as critical severity when exploited under specific conditions.

The flaw, tracked as CVE-2021-23031, is a privilege escalation issue on BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) Traffic Management User Interface (TMUI).

An authenticated attacker with access to the Configuration utility can trigger the flaw to execute arbitrary system commands, create or delete files, and/or disable services. The issue could allow an attacker to completely compromise the network device.

The flaw received a severity score of 8.8, but according to the security advisory, for customers using the Appliance Mode, which applies some technical restrictions, the severity score raises to 9.9 out of 10.

According to the security advisory for CVE-2021-23031, only a limited number of customers are impacted by the issue in a critical mode.

“When this vulnerability is exploited, an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services. This vulnerability may result in complete system compromise.” reads the advisory. “The limited number of customers using Appliance mode have Scope: Changed, which raises the CVSSv3 score to 9.9. For information about Appliance mode, refer to K12815: Overview of Appliance mode.”

The vendor recommends updating the device, where it is not possible admins should limit access to the Configuration utility only to completely trusted users.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released a security advisory encouraging users and administrators to review the F5 security advisory and install updated software or apply the necessary mitigations as soon as possible.

F5 addressed high-severity 30 vulnerabilities in multiple products, they include authenticated remote command execution flaws, cross-site scripting (XSS) issues, request forgery bugs, along insufficient permission and denial-of-service flaws.

The flaws received a severity score between 7.2 and 7.5. Below is the list of issues fixed by the vendor:

CVE / Bug IDSeverityCVSS scoreAffected productsAffected versionsFixes introduced in
CVE-2021-23025High7.2BIG-IP (all modules)15.0.0 – 15.1.0
14.1.0 – 14.1.3
13.1.0 – 13.1.3
12.1.0 – 12.1.6
11.6.1 – 11.6.5
16.0.0
15.1.0.5
14.1.3.1
13.1.3.5
CVE-2021-23026High7.5BIG-IP (all modules)16.0.0 – 16.0.1
15.1.0 – 15.1.2
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5
16.1.0
16.0.1.2
15.1.3
14.1.4.2
13.1.4.1
BIG-IQ8.0.0 – 8.1.0 
7.0.0 – 7.1.0
6.0.0 – 6.1.0
None
CVE-2021-23027High7.5BIG-IP (all modules)16.0.0 – 16.0.1
15.1.0 – 15.1.2
14.1.0 – 14.1.4
16.1.0
16.0.1.2
15.1.3.1
14.1.4.3
CVE-2021-23028High7.5BIG-IP (Advanced WAF, ASM)16.0.0 – 16.0.1
15.1.0 – 15.1.3
14.1.0 – 14.1.4
13.1.0 – 13.1.3
16.1.0
16.0.1.2
15.1.3.1
14.1.4.2
13.1.4
CVE-2021-23029High7.5BIG-IP (Advanced WAF, ASM)16.0.0 – 16.0.116.1.0
16.0.1.2
CVE-2021-23030High7.5BIG-IP (Advanced WAF, ASM)16.0.0 – 16.0.1
15.1.0 – 15.1.3
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
16.1.0
16.0.1.2
15.1.3.1
14.1.4.3
13.1.4.1
CVE-2021-23031High–Critical – Appliance mode only8.8–9.9BIG-IP (Advanced WAF, ASM)16.0.0 – 16.0.1
15.1.0 – 15.1.2
14.1.0 – 14.1.4
13.1.0 – 13.1.3
12.1.0 – 12.1.5
11.6.1 – 11.6.5
16.1.0
16.0.1.2
15.1.3
14.1.4.1
13.1.4
12.1.6
11.6.5.3
CVE-2021-23032High7.5BIG-IP (DNS)16.0.0 – 16.0.1
15.1.0 – 15.1.3
14.1.0 – 14.1.4
13.1.0 – 13.1.4 
12.1.0 – 12.1.6
16.1.0 
15.1.3.1
14.1.4.4
CVE-2021-23033High7.5BIG-IP (Advanced WAF, ASM)16.0.0 – 16.0.1
15.1.0 – 15.1.3
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
16.1.0
15.1.3.1
14.1.4.3
13.1.4.1
CVE-2021-23034High7.5BIG-IP (all modules)16.0.0 – 16.0.1
15.1.0 – 15.1.3
16.1.0 
15.1.3.1
CVE-2021-23035High7.5BIG-IP (all modules)14.1.0 – 14.1.414.1.4.4
CVE-2021-23036High7.5BIG-IP (Advanced WAF, ASM, DataSafe)16.0.0 – 16.0.116.1.0
16.0.1.2
CVE-2021-23037High7.5BIG-IP (all modules)16.0.0 – 16.1.0
15.1.0 – 15.1.3
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5
None

The vendor also fixed medium and low severity vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, F5 BIG-IP)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment