F5 Bug Could Lead to Complete System Takeover

Application delivery and networking firm F5 released a baker’s dozen of 13 fixes for high-severity bugs, including one that could lead to complete system takeover and hence is boosted to “critical” for customers in “especially sensitive sectors.”

F5 – maker of near-ubiquitously installed enterprise networking gear – released nearly 30 vulnerabilities for multiple devices in its August security updates.

The worst of the bunch is tracked as CVE-2021-23031 and affects BIG-IP modules Advanced WAF (Web Application Firewall) and the Application Security Manager (ASM) – specifically, the Traffic Management User Interface (TMUI).

F5 said that when the vulnerability is exploited, “an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services,” potentially leading to “complete system compromise.”

CVE-2021-23031 normally entails a high rating of 8.8 severity, but that gets jacked up to 9.9 for just those customers that are using Appliance mode. The Appliance mode adds technical restrictions and is designed to meet the needs of customers in “especially sensitive sectors” by “limiting the BIG-IP system administrative access to match that of a typical network appliance and not a multi-user UNIX device.”

F5 lists a number of products that contain the affected code but aren’t vulnerable, given that attackers can’t exploit the code in default, standard or recommended configurations. F5 noted that there are a limited number of customers using it in the mode – i.e., Appliance mode – that elevates the vulnerability’s CVSSv3 severity score to 9.9 (critical).

No Viable Mitigation

F5 said that there’s “no viable mitigation” that also allows users access to the Configuration utility, given that this attack can be pulled off by legitimate, authenticated users. The only way to mitigate is to pull the access of any users who aren’t “completely trusted,” according to the advisory.

Customers who can’t install a fixed version right off the bat can use the following temporary mitigations, which restrict access to the Configuration utility to only trusted networks or devices and thereby limit the attack surface:

Besides the critical CVE-2021-23031 flaw, the dozen high-severity security bugs addressed in this month’s patch release and listed in the table below have risk scores of between 7.2 and 7.5. The flaws include authenticated remote command execution (RCE), cross-site scripting (XSS) and request forgery, as well as insufficient permission and denial-of-service (DOS).

Half of them affect all modules, five impact the Advanced WAF and ASM, and one affects the DNS module.

CISA Security Advisory

The Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory encouraging users and admins to review F5’s security advisory and to update the software or to apply mitigations ASAP.

“Don’t delay” is, of course, good advice when it comes to F5 equipment, given that the company’s enterprise networking can be found in some of the largest tech companies in the world, including Facebook, Microsoft and Oracle. It’s also found in the halls of a trove of Fortune 500 companies, including some of the world’s biggest financial institutions and ISPs.

That gear is also gleefully picked apart by attackers: CVE 2020-5902, a critical vulnerability in F5 Networks’ BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware and more, was recently featured in CISA’s list of top 30 bugs “routinely” exploited in 2020 and into this year.

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.