F5 Networks have addressed critical vulnerabilities in its BIG-IP networking device. The vulnerability tracked as CVE-2021-23031 is a privilege escalation issue on BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) Traffic Management User Interface (TMUI).
According to the security advisory, when this vulnerability is exploited, an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services.
Similarly, this flaw may result in complete system compromise. BIG-IP systems have the option of running in Appliance mode.
This appliance mode is designed to meet the needs of customers in, particularly sensitive sectors by limiting the BIG-IP system administrative access to match that of a typical network appliance and not a multi-user UNIX device.
The flaw has a severity score of 8.8, nevertheless, the security advisory says, for customers using the Appliance Mode, applies some technical restrictions, the severity score raises to 9.9 out of 10.
Also, only a limited number of customers are impacted by the issue in a critical mode.
“The limited number of customers using Appliance mode have Scope: Changed, which raises the CVSSv3 score to 9.9”, reads the security advisory.
| Product | Branch | Versions known to be vulnerable1 | Fixes introduced in | Severity | CVSSv3 score2 | Vulnerable component or feature |
| BIG-IP (Advanced WAF and ASM) | 16.x | 16.0.0 – 16.0.1 | 16.1.0 16.0.1.2 | High — Critical – Appliance mode only3 | 8.8 — 9.93 | TMUI/Configuration utility |
| 15.x | 15.1.0 – 15.1.2 | 15.1.3 | ||||
| 14.x | 14.1.0 – 14.1.4 | 14.1.4.1 | ||||
| 13.x | 13.1.0 – 13.1.3 | 13.1.4 | ||||
| 12.x | 12.1.0 – 12.1.5 | 12.1.6 | ||||
| 11.x | 11.6.1 – 11.6.5 | 11.6.5.3 | ||||
| BIG-IP (all other modules) | 16.x | None | Not applicable | Not vulnerable | None | None |
| 15.x | None | Not applicable | ||||
| 14.x | None | Not applicable | ||||
| 13.x | None | Not applicable | ||||
| 12.x | None | Not applicable | ||||
| 11.x | None | Not applicable | ||||
| BIG-IQ Centralized Management | 8.x | None | Not applicable | Not vulnerable4 | None | None |
| 7.x | None | Not applicable | ||||
| 6.x | None | Not applicable | ||||
| F5OS | 1.x | None | Not applicable | Not vulnerable | None | None |
| Traffix SDC | 5.x | None | Not applicable | Not vulnerable | None | None |
List of Issues Addressed by F5
F5 mentions that users can eliminate this vulnerability by installing a version listed in the Fixes column.
F5 addressed 30 high-severity vulnerabilities in multiple products, which include authenticated remote command execution flaws, cross-site scripting (XSS) issues, request forgery issues, insufficient permission, and denial-of-service flaws.
F5 states that the only mitigation is to remove access for users who are not completely trusted since this attack is conducted by legitimate and authenticated users.
A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…
SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…
The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…
Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…
CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…
A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…