In a week that has already brought the disclosure of four Exchange zero days, and a massive Patch Tuesday release from Microsoft that included fixes for seven serious DNS flaws, the last thing enterprise security teams needed was another major set of bugs to worry about. But on Wednesday, F5 announced four critical vulnerabilities in its BIG-IP appliances, all of which allow remote code execution.
The four bugs represent serious threats for all organizations with BIG-IP deployments, as at least one of them does not require authentication before exploitation, and even the ones that do would lead to complete system compromise if they’re exploited.
“The bottom line is that they affect all BIG-IP and BIG-IQ customers and instances—we urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible,” Kara Sprague of F5 said in a post.
The F5 BIG-IP appliances are powerful backend devices that are used for a number of functions, including load balancing and traffic inspection. The appliances can terminate TLS sessions and act as full proxies.
The most serious of the four critical vulnerabilities fixed Wednesday is CVE-2021-22987, which affects several versions of BIG-IP as well as the BIG-IQ centralized management system.
“This vulnerability allows authenticated users with network access to the Configuration utility, through the BIG-IP management port, or self IP addresses, to execute arbitrary system commands, create or delete files, or disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane.” the F5 advisory says.
“Exploitation can lead to complete system compromise and breakout of Appliance mode. Appliance mode is enforced by a specific license or may be enabled or disabled for individual vCMP guest instances.”
One of the other critical flaws, CVE-2021-22986, does not require any authentication to exploit.
“This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise,” the F5 advisory says.
F5 officials said the company found some of the vulnerabilities as part of periodic internal security reviews, but some were identified by external researchers, too. One of those is CVE-2021-22992, a stack buffer overflow in BIG-IP that a researcher with Google’s Project Zero team uncovered in December.
“The bd daemon, which runs as part of the F5 BIG-IP Application Security Manager (ASM), is vulnerable to a stack-based buffer overflow when processing overlong HTTP response headers in the ‘is_hdr_criteria_matches’ function,” the Project Zero advisory says.
“While triggering the vulnerability is complex, exploiting it is trivial: The bd process has an executable stack and does not support basic exploit mitigations like PIE or stack cookies. The attached proof-of-concept demonstrates arbitrary code execution against F5 BigIP v16.01 assuming a vulnerable ASM configuration and a compromised backend.”
In addition to the four critical bugs, F5 also patched two high-severity and one medium-severity flaw on Wednesday.