F5 Releases Critical Security Patches for BIG-IP and BIG-IQ Devices

Technology

Enterprise security and network appliance vendor F5 has released patches for more than two dozen security vulnerabilities affecting multiple versions of BIG-IP and BIG-IQ devices that could potentially allow an attacker to perform a wide range of malicious actions, including accessing arbitrary files, escalating privileges, and executing JavaScript code.

Of the 29 bugs addressed, 13 are high-severity flaws, 15 are rated medium, and one is rated low in severity.

Chief among them is CVE-2021-23031 (CVSS score: 8.8), a vulnerability affecting BIG-IP Advanced Web Application Firewall and BIG-IP Application Security Manager that allows an authenticated user to perform a privilege escalation.

Stack Overflow Teams

“When this vulnerability is exploited, an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services. This vulnerability may result in complete system compromise,” F5 said in its advisory.

It’s worth noting that for customers running the device in Appliance Mode, which applies additional technical restrictions in sensitive sectors, the same vulnerability comes with a critical rating of 9.9 out of 10. “As this attack is conducted by legitimate, authenticated users, there is no viable mitigation that also allows users access to the Configuration utility. The only mitigation is to remove access for users who are not completely trusted,” the company said.

The other major vulnerabilities resolved by F5 are listed below –

  • CVE-2021-23025 (CVSS score: 7.2) – Authenticated remote command execution vulnerability in BIG-IP Configuration utility
  • CVE-2021-23026 (CVSS score: 7.5) – Cross-site request forgery (CSRF) vulnerability in iControl SOAP
  • CVE-2021-23027 and CVE-2021-23037 (CVSS score: 7.5) – TMUI DOM-based and reflected cross-site scripting (XSS) vulnerabilities
  • CVE-2021-23028 (CVSS score: 7.5) – BIG-IP Advanced WAF and ASM vulnerability
  • CVE-2021-23029 (CVSS score: 7.5) – BIG-IP Advanced WAF and ASM TMUI vulnerability
  • CVE-2021-23030 and CVE-2021-23033 (CVSS score: 7.5) – BIG-IP Advanced WAF and ASM Websocket vulnerabilities
  • CVE-2021-23032 (CVSS score: 7.5) – BIG-IP DNS vulnerability
  • CVE-2021-23034, CVE-2021-23035, and CVE-2021-23036 (CVSS score: 7.5) – Traffic Management Microkernel vulnerabilities

Additionally, F5 has also patched a number of flaws that range from directory traversal vulnerability and SQL injection to open redirect vulnerability and cross-site request forgery, as well as a MySQL database flaw that results in the database consuming more storage space than expected when brute-force protection features of the firewall are enabled.

Prevent Ransomware Attacks

With F5 devices often becoming juicy targets for active exploitation attempts by threat actors, it’s highly recommended that users and administrators install updated software or apply the necessary mitigations as soon as possible.

Products You May Like

Articles You May Like

13 Shocking Celebrity Breakups of 2024: Jennifer Lopez & Ben Affleck and More
Fintechs are 2024’s biggest gainers among financials
Trump transfers DJT shares to revocable trust: SEC filings
EVERYDAY CARRY: Bogey Boys | FashionBeans
Trump And House GOP’s Promise To Not Cut Social Security Is Total Nonsense