Critical vulnerabilities in F5 BIG-IP and BIG-IQ systems now actively exploited
CVSS score: Highest at 9.9/10
- CVE-2021-22986 (CVSS: 9.8)
- CVE-2021-22987 (CVSS: 9.9)
- CVE-2021-22991 (CVSS: 9.0)
- CVE-2021-22992 (CVSS: 9.0)
Sources
Official Manufacturer: https://support.f5.com/csp/article/K02566623
Risks
The 4 critical vulnerabilities are briefly described below.
The Non-vulnerable versions of the products can be found in the corresponding tables.
CVE-2021-22986
An attacker exploiting the vulnerability CVE-2021-22986 can execute arbitrary system commands, create or delete files and disable services. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable.
This vulnerability has been observed being actively exploited.
Vendor’s reference: https://support.f5.com/csp/article/K03009991
Affected products: F5 BIG-IP (CVE-2021-22986)
BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO)
| Branch | Vulnerable versions | Non-vulnerable versions |
|---|---|---|
| 16.X | 16.0.0 - 16.0.1 | 16.0.1.1 |
| 15.X | 15.1.0 - 15.1.2 | 15.1.2.1 |
| 14.X | 14.1.0 - 14.1.3 | 14.1.4 |
| 13.X | 13.1.0 - 13.1.3 | 13.1.3.6 |
| 12.X | 12.1.0 - 12.1.5 | 12.1.5.3* |
| 11.X | 11.6.1 - 11.6.5 | 11.6.5.3 |
* An issue with the bigd process has been discovered in version 12.1.5.3. For more information, refer to K50524736: Bigd process memory leak after updating to BIG-IP 12.1.5.3. (https://support.f5.com/csp/article/K50524736)
Affected products: F5 BIG-IQ (CVE-2021-22986)
| Branch | Vulnerable versions | Non-vulnerable versions |
|---|---|---|
| 8.X | None | 8.0.0 |
| 7.X | 7.0.0 7.1.0 |
7.0.0.2 7.1.0.3 |
| 6.X | 6.0.0 - 6.1.0 | None |
CVE-2021-22987
An attacker exploiting the vulnerability CVE-2021-22987 can perform an “authenticated remote command execution” in undisclosed pages.
Vendor's reference: https://support.f5.com/csp/article/K18132488
Affected products: F5 BIG-IP (CVE-2021-22987)
BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO)
| Branch | Vulnerable versions | Non-vulnerable versions |
|---|---|---|
| 16.X | 16.0.0 - 16.0.1 | 16.0.1.1 |
| 15.X | 15.1.0 - 15.1.2 | 15.1.2.1 |
| 14.X | 14.1.0 - 14.1.3 | 14.1.4 |
| 13.X | 13.1.0 - 13.1.3 | 13.1.3.6 |
| 12.X | 12.1.0 - 12.1.5 | 12.1.5.3* |
| 11.X | None | Not applicable |
* An issue with the bigd process has been discovered in version 12.1.5.3. For more information, refer to K50524736: Bigd process memory leak after updating to BIG-IP 12.1.5.3. (https://support.f5.com/csp/article/K50524736)
CVE-2021-22991
An attacker exploiting the vulnerability CVE-2021-22991 can trigger a Buffer-overflow when undisclosed requests are handled by the Traffic Management Microkernel (TMM).
Vendor's reference: https://support.f5.com/csp/article/K56715231
Affected products: F5 BIG-IP (CVE-2021-22991)
BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO)
| Branch | Vulnerable versions | Non-vulnerable versions |
|---|---|---|
| 16.X | 16.0.0 - 16.0.1 | 16.0.1.1 |
| 15.X | 15.1.0 - 15.1.2 | 15.1.2.1 |
| 14.X | 14.1.0 - 14.1.3 | 14.1.4 |
| 13.X | 13.1.0 - 13.1.3 | 13.1.3.6 |
| 12.X | 12.1.0 - 12.1.5 | 12.1.5.3* |
| 11.X | None | Not applicable |
* An issue with the bigd process has been discovered in version 12.1.5.3. For more information, refer to K50524736: Bigd process memory leak after updating to BIG-IP 12.1.5.3. (https://support.f5.com/csp/article/K50524736)
CVE-2021-22992
An attacker abusing CVE-2021-22992, can exploit this vulnerability by sending a malicious HTTP response to an Advanced WAF/ASM virtual server with Login Page configured in its policy may trigger a buffer overflow resulting in a DoS (Denial of Service) attack.
Vendor's reference: https://support.f5.com/csp/article/K52510511
Affected products: F5 BIG-IP (CVE-2021-22992)
BIG-IP (Advanced WAF and ASM)
| Branch | Vulnerable versions | Non-vulnerable versions |
|---|---|---|
| 16.X | 16.0.0 - 16.0.1 | 16.0.1.1 |
| 15.X | 15.1.0 - 15.1.2 | 15.1.2.1 |
| 14.X | 14.1.0 - 14.1.3 | 14.1.4 |
| 13.X | 13.1.0 - 13.1.3 | 13.1.3.6 |
| 12.X | 12.1.0 - 12.1.5 | 12.1.5.3* |
| 11.X | 11.6.1 - 11.6.5 | 11.6.5.3 |
* An issue with the bigd process has been discovered in version 12.1.5.3. For more information, refer to K50524736: Bigd process memory leak after updating to BIG-IP 12.1.5.3. (https://support.f5.com/csp/article/K50524736)
Description
A total of 21 vulnerabilities, including four CRITICAL vulnerabilities have been reported.
4 Critical CVEs:
- CVE-2021-22986: F5 BIG-IP and F5 BIG-IQ products are vulnerable with a remote command execution vulnerability.
- CVE-2021-22987: Remote command execution vulnerability when running in Appliance mode
- CVE-2021-22991: Buffer-overflow vulnerability of the Traffic Management Microkernel (TMM)
- CVE-2021-22992: Buffer-overflow vulnerability of the WAF/BIG-IP ASM virtual server login page
Other vulnerabilities rated HIGH (7) and MEDIUM (10) are explained on the vendor’s website: https://support.f5.com/csp/article/K02566623.
Recommended Actions
CERT.be recommends following vendor “recommended actions” affecting F5 BIG-IP and BIG-IQ products, https://support.f5.com/csp/article/K03009991.
CERT.be advises to upgrade F5 BIG-IP and BIG-IQ products to a non-vulnerable version (see tables above).
The vendor has posted “Considerations and guidance when you suspect a security compromise” on a BIG-IP system https://support.f5.com/csp/article/K11438344. CERT.be recommends to perform checks on the F5 systems and the logs to search for suspicious activity.
References
Manufacturer:
- https://support.f5.com/csp/article/K03009991 (Vendor advisory)
- https://support.f5.com/csp/article/K04532512 (Faq of F5 vulnerabilities)
- https://support.f5.com/csp/article/K02566623 (Overview of 21, F5 vulnerabilities)
- https://support.f5.com/csp/article/K11438344 (Considerations and guidance)
Other: