Twenty-one vulnerabilities were discovered in F5 BIG-IQ and BIG-IP devices including four critical Remote Control Execution CVE that are actively exploited by malicious actors.
- CVE-2021-22986 : The iControl REST interface enables unauthenticated remote command execution
A Proof of Concept exploitation has been released for this vulnerability resulting in increased exposure and facilitated targeting by threat actors.
- CVE-2021-22987 : When leveraging this vulnerability in appliance mode, Traffic Management User Interface has authenticated remote command execution in undisclosed pages.
- CVE-2021-22991 : With this vulnerability, Traffic Management Microkernel (TMM) may incorrectly handle undisclosed requests, which can result in a buffer overflow or be used for a remote code execution (RCE) or bypass of URL based access control.
- CVE-2021-22992 : This vulnerability allows for a malicious HTTP response to Advanced WAF/BIG-IP ASM which can result in a buffer overflow or be used for a remote code execution (RCE).
Previous incidents : In July of 2020, two vulnerabilities CVE-2020-5902 and CVE-2020-5903 were discovered in F5 devices. The former was exploited only a day after it was found. Since then updates and an IoC Detection tool have been released. This vulnerability was actively used by many threat actors. Such a precedent indicated towards the emergency of patching devices ASAP.
RECOMMENDED SOLUTION
- F5 encourages to update BIG-IP as well as BIG-IQ systems using the dedicated guide.
- The company support also makes a detailed overview of uncovered CVE and their respective updates available.
- In order to diagnose vulnerabilities, it is possible to refer to F5 iHealth.
POSSIBLE MITIGATION
- Restrict access to the iControl REST API from Self-IPs and authorize only trusted devices.
For more information, refer to the F5 dedicated support page for solutions to mitigate and defend your devices.
Sources : F5 website, CERT-FR, Bleeping Computer, Recorded Future,