F5 released patches of more than two dozen security vulnerabilities impacting BIG-IP and BIG-IQ products.
Notably, is the F5 bug CVE-2021-23031 (CVSS 8.8) which is elevated to critical (CVSS 9.9) for “Appliance Mode” users because it could allow authenticated attackers to bypass restrictions in this state and escalate privileges resulting in complete system takeover.
The Appliance Mode was intended for sensitive sectors to disable BIG-IP system administrative functions to match a “typical network appliance and not a multi-user UNIX device.”
F5 said only a limited number of customers were using this mode. However, this does not diminish the threat posed by the security vulnerability given that the affected companies are high priority industries.
The Cybersecurity Infrastructure and Security Agency (CISA) had issued an alert in August 2021 for the F5 flaws.
The company says that CVE-2021-23031 affects the Advanced Web Application Firewall (WAF), the Application Security Manager (ASM), and the Traffic Management User Interface (TMUI).
Once the vulnerability is exploited, authenticated attacker with access to the configuration utility can execute arbitrary system commands, create or delete files, and/or disable services. F5 notes that exploitation of the vulnerability may result in complete system compromise.
The company said there is no viable mitigation to prevent users from accessing the Configuration Utility because it can be exploited by an authenticated attacker. The company advises network administrators to limit access to trusted users.
“As this attack is conducted by legitimate, authenticated users, there is no viable mitigation that also allows users access to the Configuration Utility. The only mitigation is to remove access for users who are not completely trusted.”
F5’s advisory included a patched version that users should install to prevent exploitation. However, not every user can do so.
Customers unable to install the patched version should restrict access to the Configuration Utility to only trusted networks and devices. They can also mitigate the vulnerability by blocking access using self IP addresses.
Users can accomplish this by setting the “Port Lockdown” setting to “Allow None” for every known self IP address on the system. Optionally, they could set the “Allow Custom” option to enable any necessary ports required. Similarly, they could also restrict access through the management interface.
“Since F5’s products are used in many hosting and large enterprise applications, users should check the F5 advisories to check if their equipment is vulnerable,” Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, said. “Attackers gaining control of any of those listed devices, specifically the web application firewall, could wreak havoc across an estate.”
Nikkel said that organizations must patch the listed security vulnerabilities as soon as possible to prevent a breach of critical infrastructure.
“If it can’t be done, steps should be taken to mitigate the risk and at least deploy some of the best practice recommendations from F5, like allowing only trusted, authenticated users to access some of the applications.”
Half of the F5 patched security vulnerabilities affect all modules
While CVE-2021-23031 affects a limited number of sensitive sectors, other patched vulnerabilities had a bigger victim base.
Ranging from 7.2 to 7.5 in severity, half of the F5 security vulnerabilities affected all modules. Out of 29 patched security vulnerabilities, 13 ranked as high-severity, with one shifting to critical depending on the use case, 15 scored medium, and one earned the low severity score.
Given that all modules are affected by one bug or another, all users must apply the latest bug fixes to prevent the exploitation of F5 security vulnerabilities.
In summary, F5 security vulnerabilities expose users to various threats, including authenticated remote command execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF), privilege escalation, and denial-of-service (DOS) attacks.
“Due to the ease of accessibility and the amount of publicly known vulnerabilities associated with F5 applications, the service becomes a prime target for adversaries to break into a company’s network via the external perimeter,” says Jonathan Chua, Application Security Consultant at nVisium.