F5 Networks, a leading provider of corporate network equipment, has announced four critical remote code execution (RCE) vulnerabilities that affect most versions of BIG-IP and BIG-IQ software.
F5 BIG-IP software and hardware customers include governments, Fortune 500 companies, banks, Internet service providers and consumer brands (including Microsoft, Oracle and Facebook), with the company claiming that “48 of the Fortune 50 companies depend on F5 “
The four critical vulnerabilities listed below also include a pre-authorization RCE security hole (CVE-2021-22986) that allows unauthenticated remote attackers to execute arbitrary commands on compromised BIG-IP devices:
Today, F5 published security warnings about three other RCE vulnerabilities (two high and one average, with CVSS severity ratings between 6.6 and 8.8), allowing authenticated remote attackers to execute arbitrary system commands.
Successful exploitation of critical BIG-IP RCE vulnerabilities can lead to total system compromise, including interception of traffic from the controller application and lateral movement to the internal network.
The seven vulnerabilities have been fixed in the following versions of BIG-IP: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3 and 11.6.5.3, according to F5.
CVE-2021-22986, the RCE pre-authentication flaw, also affects BIG-IQ (a management solution for BIG-IP devices) and has been fixed in 8.0.0, 7.1.0.3 and 7.0.0.2.
“We strongly recommend that all customers upgrade their BIG-IP and BIG-IQ systems to a fixed version as soon as possible, “F5 says in a notice published earlier today.
“To fully address critical vulnerabilities, all BIG-IP customers will need to upgrade to a fixed version.”
F5 provides information on how to update the software running on your BIG-IP devices with details on various update scenarios in this BIG-IP update guide.
We have announced several fixes for vulnerabilities, 4 of which are critical. If you are an F5 customer, update your BIG-IP and BIG-IQ systems as soon as possible to fully protect yourself. You will find all the information here: https://t.co/9Bu53O3cjg pic.twitter.com/rjyUu29DfM
– F5 (@ F5) March 10, 2021
BIG-IP RCE flaws previously exploited by state hackers
In July 2020, F5 fixed a critical RCE vulnerability with a maximum 10/10 CVSSv3 rating tracked as CVE-2020-5902 and affecting the traffic management user interface (TMUI) of BIG-IP ADC devices.
Similar to the pre-authentication RCE bug announced today, CVE-2020-5902 allows unauthenticated attackers to execute arbitrary system commands after successful exploitation.
Dragos security researchers reported in September that Iranian-backed hacker group Pioneer Kitten began targeting companies that had not fixed their BIG-IP devices since early July 2020 after the announcement of the flaw.
The malicious activity revealed by Dragos aligned with an FBI Private Industry Notification in August, also warning about Iranian state hackers who have tried to exploit vulnerable ADC Big-IP devices since early July 2020.
CISA issued another statement about Chinese-sponsored hackers targeting government agencies when hunting and trying to hack F5, Microsoft Exchange, Citrix, Pulse Secure devices and servers.
Companies with unpatched F5 BIG-IP ADCs face an even greater risk of financially motivated threat agents who can also deploy ransomware on compromised networks and steal credentials to access other network devices.