New Security Patches Released by F5 for BIG-IP and BIG-IQ Devices

New Security Patches Released by F5 for BIG-IP and BIG-IQ Devices

The BIG-IP application services company F5 had fixed more than a dozen of high-asperity vulnerabilities in its networking device, one of them being inflated to critical asperity under some conditions.

These issues are part of this month’s delivery of security updates, which directly addresses about 30 vulnerabilities for multiple F5 devices.

What are the Critical Bugs affecting Sensitive Sectors?

From the thirteen-severity bugs that F5 fixed, one becomes critical in a configuration “designed to meet the requirements of customers in specifically sensitive sectors” and could edge to complete system negotiation.

The flaw is now tracked as CVE-2021-23031 and harms BIG-IP modules Advances WAF short for Web Application Firewall and the Application Security Manager (ASM), specifically the Traffic Management User Interface (TMUI).

It is a privilege escalation with an 8.8 severity score that can be abused by an unauthenticated attacker with access to the Configuration utility to run arbitrary system commands, which could result in the completion of system negotiation. For those customers using the Appliance Mode, which applies some of the technical restrictions, the same vulnerability appears with a critical rating of 9.9 out of 10.

F5’s security advisory for CVE-2021-23031 does not even provide many details on why there are two severity ratings, but note that there is a “limited number of users” that are affected by the critical variant of the flaw unless they install the updated version or implement alleviation.

For associations where amending the devices is not possible, F5 says that the only approach to fight against probable exploitation is to hinder connection to the Configuration service only to completely trusted users.

Except for CVE-2021-23031, the dozen high-severity security bugs that F5 addressed this month come with risk scores between 7.2 and 7.5. Half of them harm all modules, five impacts the Advanced WAF and ASM, and one affects the DNS module.

What are the Vulnerabilities Resolved by F5?     

New-Security-Patches-Released-by-F5-for-BIG-IP-and-BIG-IQ-Devices-image1
  • CVE-2021-23025 (CVSS score: 7.2) – Authenticated remote command execution vulnerability in BIG-IP Configuration utility
  • CVE-2021-23026 (CVSS score: 7.5) – Cross-site request forgery (CSRF) vulnerability in iControl SOAP
  • CVE-2021-23027 and CVE-2021-23037 (CVSS score: 7.5) – TMUI DOM-based and reflected cross-site scripting (XSS) vulnerabilities
  • CVE-2021-23028 (CVSS score: 7.5) – BIG-IP Advanced WAF and ASM vulnerability
  • CVE-2021-23029 (CVSS score: 7.5) – BIG-IP Advanced WAF and ASM TMUI vulnerability
  • CVE-2021-23030 and CVE-2021-23033 (CVSS score: 7.5) – BIG-IP Advanced WAF and ASM Websocket vulnerabilities
  • CVE-2021-23032 (CVSS score: 7.5) – BIG-IP DNS vulnerability
  • CVE-2021-23034, CVE-2021-23035, and CVE-2021-23036 (CVSS score: 7.5) – Traffic Management Microkernel vulnerabilities

Moreover, F5 has also patched some bugs that range from directory traversal vulnerability and SQL insertion to launch redirect vulnerability and cross-site request forgery, as well as a MySQL database flaw that results in the database consuming more storage space than expected when brute-force security features of the firewall are enabled.

With F5 devices often becoming juicy targets for active exploitation trials by threat actors, it’s highly suggested that users and administrators immediately install updated software or apply the essential mitigations as soon as possible.     

Leave a Reply