"F5, CISA Warn of Critical BIG-IP and BIG-IQ RCE Bugs"

F5 Networks is warning users to patch four critical remote command execution (RCE) flaws in its BIG-IP and BIG-IQ enterprise networking infrastructure. If exploited, the flaws could allow attackers to take full control over a vulnerable system.  The company released an advisory on seven bugs in total, with two others rated as high risk and one rated as medium risk, respectively. F5 provides enterprise networking to some of the largest tech companies globally, including Facebook, Microsoft, Oracle, and a trove of Fortune 500 companies, including some of the world’s most prominent financial institutions and ISPs.  The U.S. Cybersecurity and Infrastructure Agency (CISA) also urged companies using BIG-IP and BIG-IQ to fix two of the critical vulnerabilities, which are being tracked as CVE-2021-22986 and CVE-2021-22987.  CVE-2021-22986 has a CVSS rating of 9.8 and is an unauthenticated, remote command execution vulnerability in the iControl REST interface. CVE-2021-22987 has a CVSS rating of 9.9 and affects the infrastructure’s Traffic Management User Interface (TMUI), also referred to as the Configuration utility. When running in Appliance mode, the TMUI has an authenticated RCE vulnerability.  The two other critically rated vulnerabilities are being tracked as CVE-2021-22991 and CVE-2021-22992.   CVE-2021-22991 has a CVSS score of 9.0 and is a buffer overflow vulnerability that can be triggered when undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization.  This can result in a denial-of-service (DoS) attack that, in some situations, may theoretically allow the bypass of URL-based access control or remote code execution (RCE).  CVE-2021-22992 is also a buffer overflow bug with a CVSS rating of 9. This flaw can be triggered by “a malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy,” according to F5. It also may allow for RCE and “complete system compromise” in some situations, the company warned.  The other three non-critical bugs being patched in F5’s update this week are CVE-2021-22988, CVE-2021-22989 and CVE-2021-22990.

Threatpost reports: "F5, CISA Warn of Critical BIG-IP and BIG-IQ RCE Bugs"

Submitted by Anonymous on