F5 Networks, a leading enterprise networking device provider, has identified four critical code execution (RCE) vulnerabilities that affect most BIG-IP and BIG-IQ software versions.
F5 BIG-IP software and hardware customers include governments, Fortune 500 businesses, banks, Internet service providers and consumer brands (including Microsoft, Oracle and Facebook), with the company claiming that “48 of the Fortune 50s rely on F5.”
The four critical vulnerabilities listed below also include a pre-authenticated RCE security bug (CVE-2021-22986) that allows unauthorized remote attackers to perform arbitrary commands on compromised BIG-IP devices:
F5 today released security advice on three other RCE vulnerabilities (two high and one medium, with CVSS severity ratings between 6.6 and 8.8), allowing verified remote attackers to execute arbitrary system commands.
Successful use of critical BIG-IP RCE vulnerabilities could lead to a complete system compromise, including interception of control processing application and lateral movement to the internal network.
The seven vulnerabilities are resolved in the following BIG IP versions: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3 and 11.6.5.3, according to F5.
CVE-2021-22986, the pre-auth RCE error, also affects BIG-IQ (a management solution for BIG-IP devices), which has been fixed in 8.0.0, 7.1.0.3, and 7.0.0.2.
“We strongly advise all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible, “Said F5 in a notice published earlier today.
“To fully recover from the critical vulnerabilities, all BIG-IP clients will need to be upgraded to a fixed version.”
F5 provides information on how to upgrade the software running on your BIG-IP devices, with details on various upgrade scenarios in this BIG-IP upgrade guide.
We have announced several vulnerability solutions, four of which are critical. If you are an F5 customer, you need to update your BIG-IP and BIG-IQ systems as soon as possible to fully protect yourself. You can find all the information here: https://t.co/9Bu53O3cjg pic.twitter.com/rjyUu29DfM
– F5 (@ F5) 10 March 2021
BIG-IP RCE bugs previously exploited by state hackers
In July 2020, F5 posted a critical RCE vulnerability with a maximum 10/10 CVSSv3 rating followed as CVE-2020-5902 and affecting the Traffic Interface User Interface (TMUI) of BIG-IP ADC devices.
Similar to the pre-auth RCE bug announced today, CVE-2020-5902 allows unauthorized attackers to execute random system commands after successful exploitation.
Dragos security investigators reported in September that the Iranian-backed Pioneer Kitten burglary group started businesses that did not stick their BIG-IP devices, starting in early July 2020 after the bug was announced.
The malicious activity revealed by Dragos was compounded by an FBI notice from the private industry in August that also warned of Iranian state hackers trying to exploit vulnerable Big-IP ADC devices since early July 2020.
CISA has issued another piece of advice regarding hackers funded by China by targeting government agencies by trying to hack F5, Microsoft Exchange, Citrix, Pulse Secure devices and servers.
Businesses with F5 BIG-IP ADCs that do not upload run an even greater risk through financially motivated threats that may also compromise ransomware on networks and steal credentials to gain access to other network devices.