F5 releases patches for vulnerabilities affecting BIG-IP and BIG-IQ devices

by Sam August 27, 2021

To address two dozen-plus vulnerabilities influencing BIG-IP and BIG-IQ devices, F5, the Enterprise security and network appliance vendor, has issued patches. The exploitation of these flaws could allow threat actors to conduct malicious activities such as accessing arbitrary files, privileges escalation, and JavaScript code execution.

In total, 29 bugs were addressed. Out of these, 13 are rated as high-severity flaws, 15 are medium, and one is low in severity. Among these, the chief is tracked as CVE-2021-23031 (CVSS score: 8.8.). It is a flaw that allows the attacker t to perform a privilege escalation impacting BIG-IP Advanced Web Application Firewall and BIG-IP Application Security Manager.

F5 also mentioned that exploitation of this flaw could allow a threat actor access to the Configuration utility to execute arbitrary system commands, create or delete files, or disable services. It can also lead to a full system compromise.

For customers running the device in the Appliance mode, the flaw comes with a critical rating of 9.9 out of 10. The company said that since this attack is carried by users with authentication, there is no practical mitigation that also gives users access to the Configuration utility. The only way to mitigate it is to remove the access of suspicious users.

Also Read: Cisco releases Patch for addressing vulnerability in APIC

The other vulnerabilities patched by F5 include:

CVE-2021-23025 (CVSS score: 7.2) – Authenticated remote command execution vulnerability in BIG-IP Configuration utility
CVE-2021-23026 (CVSS score: 7.5) – Cross-site request forgery (CSRF) vulnerability in iControl SOAP
CVE-2021-23027 and CVE-2021-23037 (CVSS score: 7.5) – TMUI DOM-based and reflected cross-site scripting (XSS) vulnerabilities
CVE-2021-23028 (CVSS score: 7.5) – BIG-IP Advanced WAF and ASM vulnerability
CVE-2021-23029 (CVSS score: 7.5) – BIG-IP Advanced WAF and ASM TMUI vulnerability
CVE-2021-23030 and CVE-2021-23033 (CVSS score: 7.5) – BIG-IP Advanced WAF and ASM Websocket vulnerabilities
CVE-2021-23032 (CVSS score: 7.5) – BIG-IP DNS vulnerability
CVE-2021-23034, CVE-2021-23035, and CVE-2021-23036 (CVSS score: 7.5) – Traffic Management Microkernel vulnerabilities

Moreover, F5 has also resolved a number of flaws that include directory traversal vulnerability, SQL injection, open redirect vulnerability, cross-site request forgery, and a MySQL database flaw that leads to the database taking more space than required as the brute-force protection features of the firewall are enabled.