F5 Networks have addressed critical vulnerabilities in its BIG-IP networking device. The vulnerability tracked as CVE-2021-23031 is a privilege escalation issue on BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) Traffic Management User Interface (TMUI).
BIG-IP Flaw
According to the security advisory, when this vulnerability is exploited, an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services.
Similarly, this flaw may result in complete system compromise. BIG-IP systems have the option of running in Appliance mode.
This appliance mode is designed to meet the needs of customers in, particularly sensitive sectors by limiting the BIG-IP system administrative access to match that of a typical network appliance and not a multi-user UNIX device.
The flaw has a severity score of 8.8, nevertheless, the security advisory says, for customers using the Appliance Mode, applies some technical restrictions, the severity score raises to 9.9 out of 10.
Also, only a limited number of customers are impacted by the issue in a critical mode.
“The limited number of customers using Appliance mode have Scope: Changed, which raises the CVSSv3 score to 9.9”, reads the security advisory.
Product | Branch | Versions known to be vulnerable1 | Fixes introduced in | Severity | CVSSv3 score2 | Vulnerable component or feature |
BIG-IP (Advanced WAF and ASM) | 16.x | 16.0.0 – 16.0.1 | 16.1.0 16.0.1.2 | High — Critical – Appliance mode only3 | 8.8 — 9.93 | TMUI/Configuration utility |
15.x | 15.1.0 – 15.1.2 | 15.1.3 | ||||
14.x | 14.1.0 – 14.1.4 | 14.1.4.1 | ||||
13.x | 13.1.0 – 13.1.3 | 13.1.4 | ||||
12.x | 12.1.0 – 12.1.5 | 12.1.6 | ||||
11.x | 11.6.1 – 11.6.5 | 11.6.5.3 | ||||
BIG-IP (all other modules) | 16.x | None | Not applicable | Not vulnerable | None | None |
15.x | None | Not applicable | ||||
14.x | None | Not applicable | ||||
13.x | None | Not applicable | ||||
12.x | None | Not applicable | ||||
11.x | None | Not applicable | ||||
BIG-IQ Centralized Management | 8.x | None | Not applicable | Not vulnerable4 | None | None |
7.x | None | Not applicable | ||||
6.x | None | Not applicable | ||||
F5OS | 1.x | None | Not applicable | Not vulnerable | None | None |
Traffix SDC | 5.x | None | Not applicable | Not vulnerable | None | None |
List of Issues Addressed by F5
F5 mentions that users can eliminate this vulnerability by installing a version listed in the Fixes column.
F5 addressed 30 high-severity vulnerabilities in multiple products, which include authenticated remote command execution flaws, cross-site scripting (XSS) issues, request forgery issues, insufficient permission, and denial-of-service flaws.
Mitigation
F5 states that the only mitigation is to remove access for users who are not completely trusted since this attack is conducted by legitimate and authenticated users.
- Block Configuration utility access through self IP addresses.
- Block Configuration utility access through the management interface These mitigations restrict access to the Configuration utility to only trusted networks or devices, thereby limiting the attack surface.