Cybersecurity company F5 has issued a warning about seven vulnerabilities in its product suite, four of which are classified as critical. The bugs affect all F5 BIG-IP and BIG-IQ implementations and can be abused for Remote Code Execution (RCE), Denial of Service (DoS), and device takeover attacks. The bugs are so serious that the US Cyberspace and Infrastructure Agency (CISA) has also issued an advisory, asking companies to "review the F5 advisory and install updated software as soon as possible." Per the F5 advisory, patches are now available for all seven vulnerabilities.
F5 security vulnerabilities
The most severe of the F5 vulnerabilities, CVE-2021-22987, has been assigned a severity rating of 9,9 / 10 according to the Common Vulnerability Rating Standard (CVSS). The bug allows users with network access to the configuration utility (also known as the traffic management user interface) to "execute arbitrary system commands, create or delete files, or disable services." CVE-22021-22986, on the other hand, belongs to the iControl REST interface and creates opportunities for the same types of attacks, giving it a severity rating of 9,8. However, both flaws require access to gain access to the control plane, which would force the attacker to possess or steal the login credentials. The last two critical bugs, CVE-2021-22991 and CVE-2021-22992, are buffer overflow vulnerabilities that open the door to DoS attacks and, in some situations, remote code execution. Beyond these four critical vulnerabilities, the company also released details of one medium severity flaw and two high severity flaws, along with an apology to affected customers. "These vulnerabilities were discovered as a result of regular and ongoing internal security testing of our solutions," F5 said in a blog post. "Because we understand how critical BIG-IP and BIG-IQ are to our customers, as soon as these vulnerabilities were discovered, we immediately began working on fixes and published title advisories as soon as possible." “The trust you place in F5 to manage the security and delivery of your most important assets – your applications – is not something we take lightly. We understand that remediating vulnerabilities can affect your business. "