Critical vulnerabilities in F5 BIG-IP and BIG-IQ systems now actively exploited

Image
Decorative image
Published : 22/03/2021

Reference:
Advisory #2021-0004

Version:
1.0

Affected software:
F5 BIG-IP (see table for vulnerable versions)
F5 BIG-IQ (see table for vulnerable versions)

Type:
4 critical CVE’s make “Remote command execution” and “Buffer-overflows” possible

CVE/CVSS:
CVSS score: Highest at 9.9/10

  • CVE-2021-22986 (CVSS: 9.8)
  • CVE-2021-22987 (CVSS: 9.9)
  • CVE-2021-22991 (CVSS: 9.0)
  • CVE-2021-22992 (CVSS: 9.0)

Sources

Official Manufacturer: https://support.f5.com/csp/article/K02566623

Risks

The 4 critical vulnerabilities are briefly described below.

The Non-vulnerable versions of the products can be found in the corresponding tables.

CVE-2021-22986

An attacker exploiting the vulnerability CVE-2021-22986 can execute arbitrary system commands, create or delete files and disable services. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable.

This vulnerability has been observed being actively exploited.

Vendor’s reference: https://support.f5.com/csp/article/K03009991

Affected products: F5 BIG-IP (CVE-2021-22986)

BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO)

BranchVulnerable versionsNon-vulnerable versions
16.X16.0.0 - 16.0.116.0.1.1
15.X15.1.0 - 15.1.215.1.2.1
14.X14.1.0 - 14.1.314.1.4
13.X13.1.0 - 13.1.313.1.3.6
12.X12.1.0 - 12.1.512.1.5.3*
11.X11.6.1 - 11.6.511.6.5.3

* An issue with the bigd process has been discovered in version 12.1.5.3. For more information, refer to K50524736: Bigd process memory leak after updating to BIG-IP 12.1.5.3. (https://support.f5.com/csp/article/K50524736)

Affected products: F5 BIG-IQ (CVE-2021-22986)

BranchVulnerable versionsNon-vulnerable versions
8.XNone8.0.0
7.X7.0.0
7.1.0		7.0.0.2
7.1.0.3
6.X6.0.0 - 6.1.0None

CVE-2021-22987

An attacker exploiting the vulnerability CVE-2021-22987 can perform an “authenticated remote command execution” in undisclosed pages.

Vendor's reference: https://support.f5.com/csp/article/K18132488

Affected products: F5 BIG-IP (CVE-2021-22987)

BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO)

BranchVulnerable versionsNon-vulnerable versions
16.X16.0.0 - 16.0.116.0.1.1
15.X15.1.0 - 15.1.215.1.2.1
14.X14.1.0 - 14.1.314.1.4
13.X13.1.0 - 13.1.313.1.3.6
12.X12.1.0 - 12.1.512.1.5.3*
11.XNoneNot applicable

* An issue with the bigd process has been discovered in version 12.1.5.3. For more information, refer to K50524736: Bigd process memory leak after updating to BIG-IP 12.1.5.3. (https://support.f5.com/csp/article/K50524736)

CVE-2021-22991

An attacker exploiting the vulnerability CVE-2021-22991 can trigger a Buffer-overflow when undisclosed requests are handled by the Traffic Management Microkernel (TMM).

Vendor's reference: https://support.f5.com/csp/article/K56715231

Affected products: F5 BIG-IP (CVE-2021-22991)

BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO)

BranchVulnerable versionsNon-vulnerable versions
16.X16.0.0 - 16.0.116.0.1.1
15.X15.1.0 - 15.1.215.1.2.1
14.X14.1.0 - 14.1.314.1.4
13.X13.1.0 - 13.1.313.1.3.6
12.X12.1.0 - 12.1.512.1.5.3*
11.XNoneNot applicable

* An issue with the bigd process has been discovered in version 12.1.5.3. For more information, refer to K50524736: Bigd process memory leak after updating to BIG-IP 12.1.5.3. (https://support.f5.com/csp/article/K50524736)

CVE-2021-22992

An attacker abusing CVE-2021-22992, can exploit this vulnerability by sending a malicious HTTP response to an Advanced WAF/ASM virtual server with Login Page configured in its policy may trigger a buffer overflow resulting in a DoS (Denial of Service) attack.

Vendor's reference: https://support.f5.com/csp/article/K52510511

Affected products: F5 BIG-IP (CVE-2021-22992)

BIG-IP (Advanced WAF and ASM)

BranchVulnerable versionsNon-vulnerable versions
16.X16.0.0 - 16.0.116.0.1.1
15.X15.1.0 - 15.1.215.1.2.1
14.X14.1.0 - 14.1.314.1.4
13.X13.1.0 - 13.1.313.1.3.6
12.X12.1.0 - 12.1.512.1.5.3*
11.X11.6.1 - 11.6.511.6.5.3

* An issue with the bigd process has been discovered in version 12.1.5.3. For more information, refer to K50524736: Bigd process memory leak after updating to BIG-IP 12.1.5.3. (https://support.f5.com/csp/article/K50524736)

Description

A total of 21 vulnerabilities, including four CRITICAL vulnerabilities have been reported.

4 Critical CVEs:

  • CVE-2021-22986: F5 BIG-IP and F5 BIG-IQ products are vulnerable with a remote command execution vulnerability.
  • CVE-2021-22987: Remote command execution vulnerability when running in Appliance mode
  • CVE-2021-22991: Buffer-overflow vulnerability of the Traffic Management Microkernel (TMM)
  • CVE-2021-22992: Buffer-overflow vulnerability of the WAF/BIG-IP ASM virtual server login page

Other vulnerabilities rated HIGH (7) and MEDIUM (10) are explained on the vendor’s website: https://support.f5.com/csp/article/K02566623.

Recommended Actions

CERT.be recommends following vendor “recommended actions” affecting F5 BIG-IP and BIG-IQ products, https://support.f5.com/csp/article/K03009991.

CERT.be advises to upgrade F5 BIG-IP and BIG-IQ products to a non-vulnerable version (see tables above).

The vendor has posted “Considerations and guidance when you suspect a security compromise” on a BIG-IP system https://support.f5.com/csp/article/K11438344. CERT.be recommends to perform checks on the F5 systems and the logs to search for suspicious activity.

 

References

Manufacturer:

Other:

https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/