F5 BIG-IP/BIG-IQ High-Risk Vulnerabilities Threat Alert

F5 BIG-IP/BIG-IQ High-Risk Vulnerabilities Threat Alert

March 24, 2021 | Jie Ji

Vulnerability Description

On March 11, NSFOCUS observed that F5 released a security bulletin to announce the fix of multiple high-risk vulnerabilities, CVE-2021-22986, CVE-2021-22987, CVE-2021-22988, CVE-2021-22989, CVE-2021-22990, CVE-2021-22991, and CVE-2021-22992, which affect BIG-IP and BIG-IQ in F5.

Users are advised to take preventive measures as soon as possible.

BIG-IP is an F5 application delivery platform that integrates the functions of network traffic management, application security management, and load balancing. BIG-IQ is an intelligent framework for managing and orchestrating F5 security and application delivery solutions.

Reference link:

https://support.f5.com/csp/article/K02566623

Description of Major Vulnerabilities

iControl REST Remote Command Execution Vulnerability (CVE-2021-22986)

An unauthenticated attacker with network access to the iControl REST interface, through the BIG-IP management interface and his or her IP addresses can execute arbitrary system commands, create or delete files, and disable services. The BIG-IP system in Appliance mode is also vulnerable. This vulnerability has a CVSS score of 9.8.

For details of this vulnerability, visit the following link:

https://support.f5.com/csp/article/K03009991

TMUI Remote Command Execution Vulnerability (CVE-2021-22987)

In Appliance mode, an authenticated attacker can access TMUI through the BIG-IP management port or his or her IP addresses to complete system compromise and breakout of Appliance mode. This vulnerability can be exploited through the control plane. This vulnerability has a CVSS score of 9.9.

For details of this vulnerability, visit the following link:

https://support.f5.com/csp/article/K18132488

TMUI Remote Command Execution Vulnerability (CVE-2021-22988)

An authenticated attacker can access TMUI through the BIG-IP management port or his or her IP addresses to create or delete files or disable services. This vulnerability can be exploited through the control plane.

For details of this vulnerability, visit the following link:

https://support.f5.com/csp/article/K70031188

Appliance Mode Advanced WAF/ASM TMUI Remote Command Execution Vulnerability (CVE-2021-22989)

When Advanced WAF or ASM is configured in Appliance mode, an attacker with a role of Administrator, Resource Administrator, or Application Security Administrator with access to TMUI through the BIG-IP management port or his or her own IP addresses can execute arbitrary system commands, create or delete files, or disable services.

For details of this vulnerability, visit the following link:

https://support.f5.com/csp/article/K56142644

Advanced WAF/ASM TMUI Remote Command Execution Vulnerability (CVE-2021-22990)

On a system configured with Advanced WAF or BIG-IP ASM, an attacker with the role of Administrator, Resource Administrator, or Application Security Administrator with network access to TMUI through the BIG-IP management port or his or her IP address, can execute arbitrary system commands, create or delete files, or disable services.

For details of this vulnerability, visit the following link:

https://support.f5.com/csp/article/K45056101

TMM  Buffer Overflow Vulnerability (CVE-2021-22991)

Undisclosed requests to a virtual server may be incorrectly handled by Traffic Management Microkernel (TMM) URI normalization. This may trigger a buffer overflow, resulting in a DoS attack. Attackers could exploit this vulnerability through the control plane to allow bypass of URL-based access control or implement remote code execution (RCE) in certain situations. This vulnerability has a CVSS score of 9.0.

For details of this vulnerability, visit the following link:

https://support.f5.com/csp/article/K56715231

Advanced WAF/ASM  Buffer Overflow Vulnerability (CVE-2021-22992)

A malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a denial of service (DoS) attack. Attackers could exploit this vulnerability through the data plane and cause remote code execution in certain situations. This vulnerability has a CVSS score of 9.0.

For details of this vulnerability, visit the following link:

https://support.f5.com/csp/article/K52510511

Scope of Impact

CVE-2021-22986:

Affected Versions

  • BIG-IP: 16.0.0-16.0.1
  • BIG-IP: 15.1.0-15.1.2
  • BIG-IP: 14.1.0-14.1.3.1
  • BIG-IP: 13.1.0-13.1.3.5
  • BIG-IP: 12.1.0-12.1.5.2
  • BIG-IQ: 7.1.0-7.1.0.2
  • BIG-IQ: 7.0.0-7.0.0.1
  • BIG-IQ: 6.0.0-6.1.0

Unaffected Versions

  • BIG-IP: 16.0.1.1
  • BIG-IP: 15.1.2.1
  • BIG-IP: 14.1.4
  • BIG-IP: 13.1.3.6
  • BIG-IP: 12.1.5.3
  • BIG-IQ: 8.0.0
  • BIG-IQ: 7.1.0.3
  • BIG-IQ: 7.0.0.2

CVE-2021-22987/CVE-2021-22988/CVE-2021-22989/CVE-2021-22990/CVE-2021-22992

Affected Versions

  • BIG-IP: 16.0.0-16.0.1
  • BIG-IP: 15.1.0-15.1.2
  • BIG-IP: 14.1.0-14.1.3.1
  • BIG-IP: 13.1.0-13.1.3.5
  • BIG-IP: 12.1.0-12.1.5.2
  • BIG-IP: 11.6.1-11.6.5.2

Unaffected Versions

  • BIG-IP: 16.0.1.1
  • BIG-IP: 15.1.2.1
  • BIG-IP: 14.1.4
  • BIG-IP: 13.1.3.6
  • BIG-IP: 12.1.5.3
  • BIG-IP: 11.6.5.3

CVE-2021-22991

Affected Versions

  • BIG-IP: 16.0.0-16.0.1
  • BIG-IP: 15.1.0-15.1.2
  • BIG-IP: 14.1.0-14.1.3.1
  • BIG-IP: 13.1.0-13.1.3.5
  • BIG-IP: 12.1.0-12.1.5.2

Unaffected Versions

  • BIG-IP: 16.0.1.1
  • BIG-IP: 15.1.2.1
  • BIG-IP: 14.1.4
  • BIG-IP: 13.1.3.6
  • BIG-IP: 12.1.5.3

Check for the Vulnerability

Version Check

1. Run the following command in TMOS shell (tmsh) to check the current version:

2. Alternatively, log in to the web-based manager to check the current BIG-IP version:

If it is within the scope of impact, the version is vulnerable.

Mitigation

Official Fix

Currently, these vulnerabilities have been fixed in the latest version. If you are affected by this vulnerability, please upgrade your installation as soon as possible. For the links to the downloadable new releases, see the following:

BIG-IP: https://support.f5.com/csp/article/K9502

BIG-IQ: https://support.f5.com/csp/article/K15113

For the upgrade guide and notes, please refer to the following links:

BIG-IP: https://support.f5.com/csp/article/K13123

BIG-IQ: https://support.f5.com/csp/article/K15106

Workaround

If it is impossible to upgrade currently, users can take the following mitigation measures:

CVE-2021-22986:

Block access to iControl REST from self IP addresses: Set the Port Lockdown option of each IP address to Allow None. If you must open any ports, you should enable the Allow Custom option. By default, iContro l REST listens on port 443.

Block access to iControl REST through the management interface: restrict management access only to trusted users and devices.

CVE-2021-22987/CVE-2021-22988/CVE-2021-22989/CVE-2021-22989:

Block access to Configuration utility from self IP addresses: Set the Port Lockdown option of each IP address on the system to Allow None. If you must open any ports, you should enable the Allow Custom option. By default, utilities are configured to listen on port 443.

Block access to Configuration utility through the management interface: restrict management access only to trusted users and F5 devices.

CVE-2021-22992:

Use iRule to mitigate malicious connections:

  1. Log in to the Configuration utility.
  2. Choose Local Traffic > iRules > iRule List.
  3. Select Create.
  4. Type the name of iRule.
  5. Add the following iRule code in the Definition.
  1. Select Finished.
  2. Correlate iRule with the vulnerable virtual servers.

Modify configurations on the login interface:

  1. Log in to the Configuration utility of the affected Advanced WAF/ASM system.
  2. Choose Security > Application Security > Sessions and Logins > Login Pages List.
  3. Select a security policy from the current edited policy list.
  4. Remove all configuration from both the settings.
  5. Select Save to save the changes.
  6. Select Apply Policy to apply the changes.
  7. Select OK to confirm the operation.

   Remove login pages:

  1. Log in to the Configuration utility of the affected Advanced WAF/ASM system.
  2. Choose Security > Application Security > Sessions and Logins > Login Pages List.
  3. Select security policies from the current edited policy list.
  4. Select the login page configuration you want to remove.
  5. Select Delete.
  6. Select OK to confirm the deletion.
  7. Select Apply Policy to apply the changes.
  8. Select OK to confirm the operation.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyberattacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.