Now it is F5’s turn to reveal critical security bugs – and the Feds were quick to sound the alarm on these BIG-IP flaws

Security and automation vendor F5 has warned of seven patch-ASAP-grade vulnerabilities in its Big-IP network security and traffic-grooming products, plus another 14 vulns worth fixing.

An advisory dated today lists seven CVEs, four rated critical.

Most of the bugs concern TMUI – the Traffic Management User Interface that users work with to drive F5 products – and they can be exploited to achieve remote code execution, denial of service attacks, or complete device takeovers; sometimes all three. The iControl REST API that F5 offers to automate its products is also problematic.

To kick off, there's CVE-2021-22987, which scores a 9.9 on the ten-point CVSS scale of severity as it “allows authenticated users with network access to the Configuration utility, through the BIG-IP management port, or self IP addresses, to execute arbitrary system commands, create or delete files, or disable services.” Administrators are advised the flaw allows “complete system compromise and breakout of Appliance mode.” Note that this can only be exploited via the control plane, and it does require an attacker to have a valid login – so a rogue insider or someone using stolen credentials, perhaps.

At a mere 9.8 rating, CVE-2021-22986 “allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services.” Complete system compromise is again a possible consequence. We note that this doesn't require authentication, is also only exploitable via the control plane, and yet scores lower than '22987. That's because the latter bug changes the security scope when exploited, apparently.

CVE-2021-22991 and CVE-2021-22992 each score mere 9.0 each.

If your installation is vulnerable to '22991, “undisclosed requests to a virtual server may be incorrectly handled by Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack." Breaking URL based access control or allowing remote code execution (RCE) are other possible consequences. Google Project Zero's Felix Wilhelm has more technical details here.

The '22992 flaw is also a potential horror show. F5 says: “A malicious HTTP response to an Advanced WAF/ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise.” Google's Wilhelm has a proof-of-concept exploit and more info here.

You’re not out of the woods yet, dear reader, because the next on the list has an 8.8 CVSS rating, so is still very unpleasant. CVE-2021-22988 means that BIG-IP’s Traffic Management User Interface "has an authenticated remote command execution vulnerability in undisclosed pages."

CVE-2021-22989 throttles back the horror with its 8.0 rating, but it allows “highly privileged authenticated users … to execute arbitrary system commands, create or delete files, or disable services.” Complete system compromise and breakout of Appliance mode are again possible.

The runt of the litter, with a 6.6 rating, is CVE-2021-22990.

Fixes are in if you upgrade BIG-IP to versions 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3. CVE-2021-22986 impacts another F5 product, BIG-IQ, and can be fixed with an upgrade to versions 8.0.0, 7.1.0.3, and 7.0.0.2.

F5’s warning about the seven nasties also drops in a mention that it has released details of 14 other CVEs impacting unrelated to those described above. They’re listed here.

The seven main bugs are bad enough that America's Cyberspace and Infrastructure Agency (CISA) issued an advisory in which it “encourages users and administrators review the F5 advisory and install updated software as soon as possible.” That's perhaps because foreign miscreants have exploited F5 holes in the past to sneak into networks belonging to Uncle Sam and big business.

CISA and the FBI have also published a Joint Cybersecurity Advisory [PDF] detailing last week’s year-ruining bugs in Microsoft’s Exchange Server.

The dossier says observed attacks exploiting the Exchange flaws are “consistent with previous targeting activity by Chinese cyber actors.”

“Illicitly obtained business information, advanced technology, and research data may undermine business operations and research development of many U.S. companies and institutions,” the document added.

It identifies “local governments, academic institutions, non-governmental organizations, and business entities in multiple industry sectors, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical,” has having been attacked via Microsoft’s mistakes. ®