F5 releases patches for vulnerabilities affecting BIG-IP and BIG-IQ devices
In total, 29 bugs were addressed. Out of these, 13 are rated as high-severity flaws, 15 are medium, and one is low in severity. Among these, the chief is tracked as CVE-2021-23031 (CVSS score: 8.8.). It is a flaw that allows the attacker t to perform a privilege escalation impacting BIG-IP Advanced Web Application Firewall and BIG-IP Application Security Manager.
F5 also mentioned that exploitation of this flaw could allow a threat actor access to the Configuration utility to execute arbitrary system commands, create or delete files, or disable services. It can also lead to a full system compromise.
For customers running the device in the Appliance mode, the flaw comes with a critical rating of 9.9 out of 10. The company said that since this attack is carried by users with authentication, there is no practical mitigation that also gives users access to the Configuration utility. The only way to mitigate it is to remove the access of suspicious users.
The other vulnerabilities patched by F5 include:
- CVE-2021-23025 (CVSS score: 7.2) – Authenticated remote command execution vulnerability in BIG-IP Configuration utility
- CVE-2021-23026 (CVSS score: 7.5) – Cross-site request forgery (CSRF) vulnerability in iControl SOAP
- CVE-2021-23027 and CVE-2021-23037 (CVSS score: 7.5) – TMUI DOM-based and reflected cross-site scripting (XSS) vulnerabilities
- CVE-2021-23028 (CVSS score: 7.5) – BIG-IP Advanced WAF and ASM vulnerability
- CVE-2021-23029 (CVSS score: 7.5) – BIG-IP Advanced WAF and ASM TMUI vulnerability
- CVE-2021-23030 and CVE-2021-23033 (CVSS score: 7.5) – BIG-IP Advanced WAF and ASM Websocket vulnerabilities
- CVE-2021-23032 (CVSS score: 7.5) – BIG-IP DNS vulnerability
- CVE-2021-23034, CVE-2021-23035, and CVE-2021-23036 (CVSS score: 7.5) – Traffic Management Microkernel vulnerabilities
Moreover, F5 has also resolved a number of flaws that include directory traversal vulnerability, SQL injection, open redirect vulnerability, cross-site request forgery, and a MySQL database flaw that leads to the database taking more space than required as the brute-force protection features of the firewall are enabled.