F5 has patched two Critical remote code execution (RCE) and another two buffer overflow vulnerabilities that impact BIG-IP and BIG-IQ devices. Moreover, the security firm also addressed two other High severity bugs and one Medium severity flaw.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched devices.
Critical F5 RCE bugs
F5 addressed these two RCE vulnerabilities:
- CVE-2021-22986: iControl REST unauthenticated remote command execution vulnerability (CVSS score: 9.8)
- CVE-2021-22987: Appliance Mode TMUI authenticated remote command execution vulnerability (CVSS score: 9.9)
Of special note, F5 described the impact from CVE-2021-22986 in the advisory:
“This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable.”
Moreover, CVE-2021-22987 can allow an authenticated attacker (with network access to the Configuration utility, through the BIG-IP management port, or self IP addresses) to also “execute arbitrary system commands, create or delete files, or disable services.”
Critical buffer overflow bugs
In addition, F5 fixed these two buffer overflow vulnerabilities:
- CVE-2021-22991: TMM buffer-overflow vulnerability (CVSS score: 9.0)
- CVE-2021-22992: Advanced WAF/ASM buffer-overflow vulnerability (CVSS score: 9.0).
F5 also patched two High severity vulnerabilities (CVE-2021-22988 and CVE-2021-22989), as well as a Medium severity bug (CVE-2021-22990).
F5 recommends their customers patch all of seven of these vulnerabilities as soon as possible by upgrading to one of the following fixed BIG-IP versions: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3. BIG-IQ fixed versions 8.0.0, 7.1.0.3, and 7.0.0.2 also address CVE-2021-22986.
Readers can check out the full F5 security advisory (K02566623) for more details, published March 10, 2021.