K02566623 : Overview of F5 vulnerabilities (March 2021)

Security Advisory Description

On March 10th, 2021, F5 announced twenty-one (21) CVEs, including four Critical vulnerabilities. This document is intended to serve as an overview of these vulnerabilities to help determine the impact on your F5 devices. The details of each issue can be found in the associated Security Advisory.

You may also wish to review the Frequently Asked Questions documents:

• K04532512: Frequently asked questions for CVE-2021-22986, CVE-2021-22987, CVE-2021-22988, CVE-2021-22989, and CVE-2021-22990
• K90004114: Frequently Asked Questions for CVE-2021-22991
• K50963210: Frequently Asked Questions for CVE-2021-22992

The twenty-one (21) related vulnerabilities are as follows:

Critical CVEs

• K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

The iControl REST interface has an unauthenticated remote command execution vulnerability.

CVSS score: 9.8 (Critical)

• K18132488: Appliance Mode TMUI authenticated remote command execution vulnerability CVE-2021-22987

When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.

CVSS score: 9.9 (Critical)

• K56715231: TMM buffer-overflow vulnerability CVE-2021-22991

Undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE).

CVSS score: 9.0 (Critical)

• K52510511: Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992

A malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise.

CVSS score: 9.0 (Critical)

Because of the severity of the Critical vulnerabilities, F5 recommends that all customers install fixed software as soon as possible. All above vulnerabilities are fixed in the following BIG-IP versions: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3. CVE-2021-22986 is also fixed in BIG-IQ 8.0.0, 7.1.0.3, and 7.0.0.2.

High CVEs

• K70031188: TMUI authenticated remote command execution vulnerability CVE-2021-22988

TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.

CVSS score: 8.8 (High)

• K56142644: Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989

When running in Appliance mode with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.

CVSS score: 8.0 (High)

• K55237223: BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993

DOM-based XSS on DoS Profile properties page.

CVSS Score: 7.5 High

• K66851119: F5 TMUI XSS vulnerability CVE-2021-22994

Undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role. This vulnerability is due to an incomplete fix for CVE-2020-5948.

CVSS Score: 7.5 High

• K13155201: BIG-IQ HA vulnerability CVE-2021-22995

BIG-IQ high availability (HA) when using a Quorum device for automatic failover does not implement any form of authentication with the Corosync daemon.

CVSS Score: 8.2 High

• K16352404: BIG-IQ DCD vulnerability CVE-2021-22996

When set up for auto failover, a BIG-IQ Data Collection Device (DCD) cluster member that receives an undisclosed message may cause the corosync process to abort. This behavior may lead to a denial-of-service (DoS) and impact the stability of a BIG-IQ high availability (HA) cluster.

CVSS Score: 7.5 High

• K34074377: BIG-IQ HA vulnerability CVE-2021-22997

BIG-IQ HA ElasticSearch service does not implement any form of authentication for the clustering transport services, and all data used by ElasticSearch for transport is unencrypted.

CVSS Score: 8.6 High

Medium CVEs

• K45056101: Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22990

On systems with Advanced WAF or BIG-IP ASM provisioned, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.

CVSS Score: 6.6 Medium

• K31934524: BIG-IP SNAT vulnerability CVE-2021-22998

SYN flood protection thresholds are not enforced in secure network address translation (SNAT) listeners.

CVSS Score: 5.3 Medium

• K02333782: BIG-IP HTTP/2 vulnerability CVE-2021-22999

The BIG-IP system provides an option to connect HTTP/2 clients to HTTP/1.x servers. When a client is slow to accept responses and it closes a connection prematurely, the BIG-IP system may indefinitely retain some streams unclosed.

CVSS Score: 5.9 Medium

• K34441555: BIG-IP TMM vulnerability CVE-2021-23000

If the tmm.http.rfc.enforcement BigDB key is enabled in a BIG-IP system, or the Bad host header value is checked in the AFM HTTP security profile associated with a virtual server, in rare instances, a specific sequence of malicious requests may cause TMM to restart.

CVSS Score: 5.9 Medium

• K06440657: BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001

The upload functionality in BIG-IP Advanced WAF and ASM allows an authenticated user to upload files to the BIG-IP system using a call to an undisclosed iControl REST endpoint.

CVSS Score: 4.3 Medium

• K71891773: BIG-IP APM VPN vulnerability CVE-2021-23002

The session ID is visible in the arguments of the f5vpn.exe command when VPN is launched from the browser on a Windows system. Addressing this issue requires both the client and server fixes.

CVSS Score: 6.1 Medium

• K43470422: BIG-IP MPTCP vulnerability CVE-2021-23003

The Traffic Management Microkernel (TMM) process may produce a core file when undisclosed MPTCP traffic passes through a standard virtual server.

CVSS Score: 5.9 Medium

• K31025212: BIG-IP MPTCP vulnerability CVE-2021-23004

Multipath TCP (MPTCP) forwarding flows may be created on standard virtual servers without MPTCP enabled in the applied TCP profile.

CVSS Score: 5.9 Medium

• K01243064: BIG-IQ HA vulnerability CVE-2021-23005

When using a Quorum device for BIG-IQ high availability (HA) for automatic failover, BIG-IQ does not make use of Transport Layer Security (TLS) with the Corosync protocol.

CVSS Score: 6.5 Medium

• K30585021: BIG-IQ XSS vulnerability CVE-2021-23006

Undisclosed BIG-IQ pages have a reflected cross-site scripting vulnerability.

CVSS Score: 5.4 Medium

The following table provides key information for each vulnerability to assist in determining which are pertinent to your network.

CVE	Severity	CVSS score	Affected products	Affected versions	Fixed versions	Appliance mode / Non-Appliance mode4	Control plane / Data plane5
CVE-2021-22986	Critical	9.8	BIG-IP (All modules)	16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2	16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31	Both	Control plane – iControl REST
BIG-IQ	7.1.0-7.1.0.2
7.0.0-7.0.0.1
6.0.0-6.1.0	8.0.0
7.1.0.3
7.0.0.2	N/A	Control plane – iControl REST
CVE-2021-22987	Critical	9.9	BIG-IP (All modules)	16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2	16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31
11.6.5.3	Appliance mode	Control plane - TMUI
CVE-2021-22991	Critical	9.0	BIG-IP (All Modules)3	16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2	16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31	Both	Data plane
CVE-2021-22992	Critical	9.0	BIG-IP Advanced WAF/ASM	16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2	16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31
11.6.5.3	Both	Data plane
CVE-2021-22988	High	8.8	BIG-IP (All Modules)	16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2	16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31
11.6.5.3	Non-Appliance Mode	Control plane - TMUI
CVE-2021-22989	High	8.0	BIG-IP Advanced WAF/ASM	16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2	16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31
11.6.5.3	Appliance mode	Control plane - TMUI
CVE-2021-22993	High	7.5	BIG-IP Advanced WAF/ASM	16.0.0-16.0.1
15.1.0-15.1.1
14.1.0-14.1.3
13.1.0-13.1.3.5
12.1.0-12.1.5.2	16.0.1.12
15.1.2
14.1.3.1
13.1.3.6
12.1.5.31	Both	Control plane - TMUI
CVE-2021-22994	High	7.5	BIG-IP (All Modules)	16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2	16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31
11.6.5.3	Non-Appliance Mode	Control Plane – iControl REST
CVE-2021-22995	High	8.2	BIG-IQ	7.0.0-7.1.0
6.0.0-6.1.0	8.0.0	N/A	Control Plane - BIG-IQ high availability
CVE-2021-22996	High	7.5	BIG-IQ	7.0.0-7.1.0	8.0.0	N/A	Control Plane - BIG-IQ Data Collection
CVE-2021-22997	High	8.6	BIG-IQ	7.0.0-7.1.0
6.0.0-6.1.0	8.0.0	N/A	Control Plane - BIG-IQ high availability
CVE-2021-22990	Medium	6.6	BIG-IP Advanced WAF/ASM	16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2	16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31
11.6.5.3	Non-Appliance mode	Control plane - TMUI
CVE-2021-22998	Medium	5.3	BIG-IP (All Modules)	16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2	16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31
11.6.5.3	Both	Data Plane - SNAT
CVE-2021-22999	Medium	5.9	BIG-IP (All Modules)	15.0.0-15.0.1
14.1.0-14.1.3	16.0.0
15.1.0
14.1.42	Both	Data Plane – HTTP/2 Profile
CVE-2021-23000	Medium	5.9	BIG-IP (All Modules)
13.1.3.4-13.1.3.6
12.1.5.2	14.0.0
13.1.4
12.1.5.31	Both	Data Plane – TMM
CVE-2021-23001	Medium	4.3	BIG-IP Advanced WAF/ASM	16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2	16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31
11.6.5.3	Both	Control Plane – iControl REST
CVE-2021-23002	Medium	6.1	BIG-IP APM	16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3
13.1.0-13.1.3
12.1.0-12.1.5
11.6.1-11.6.5	16.0.1.12,6
15.1.2.16,7
14.1.42,6
13.1.3.66	Both	Data Plane – APM VPN
BIG-IP APM Clients	7.2.1
7.1.9
7.1.5-7.1.8	7.2.1.1
7.1.9.8
7.1.8.5	N/A	N/A
CVE-2021-23003	Medium	5.9	BIG-IP (All Modules)	16.0.0-16.0.1
15.1.0-15.1.1
14.1.0-14.1.3
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2	16.0.1.12
15.1.2
14.1.3.1
13.1.3.6
12.1.5.31
11.6.5.3	Both	Data Plane – TCP Profile
CVE-2021-23004	Medium	5.9	BIG-IP (All Modules)	16.0.0-16.0.1
15.1.0-15.1.1
14.1.0-14.1.3
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2	16.0.1.12
15.1.2
14.1.3.1
13.1.3.6
12.1.5.31
11.6.5.3	Both	Data Plane – TCP Profile
CVE-2021-23005	Medium	6.5	BIG-IQ	7.0.0-7.1.0
6.0.0-6.1.0	8.0.0	N/A	Control Plane - BIG-IQ high availability
CVE-2021-23006	Medium	5.4	BIG-IQ	7.0.0-7.1.0
6.0.0-6.1.0	8.0.0	N/A	Control Plane - BIG-IQ REST services

1An issue with the bigdprocess has been discovered in version 12.1.5.3. For more information, refer to K50524736: Bigd process memory leak after updating to BIG-IP 12.1.5.3.

2An issue with the Traffic Management Microkernel (TMM) process has been discovered in versions 16.0.1.1 and 14.1.4. For more information, refer to K37451543: TMM vulnerability CVE-2021-23007.

3Specific functionality is affected, refer to K56715231: TMM Buffer Overflow vulnerability CVE-2021-22991.

4For information about Appliance mode, refer to K12815: Overview of Appliance mode.

5The data plane relates to traffic processing (TMM tasks) while the control plane relates to computing, storing, and processing information (non-TMM tasks).

6In BIG-IP APM 13.1.0 and later, the APM Clients components can be updated independently from BIG-IP software. For more information, refer to K52547540: Updating BIG-IP Edge Client for the BIG-IP APM system. Note also that when you upgrade or update to BIG-IP 13.1.3.6, 14.1.4, 15.1.2.1, or 16.0.1.1, VPN users may encounter issues described in the following articles: K39454429: Browser network access VPN clients fail to establish a VPN connection and K25173042: Browser network access VPN clients may not establish the first time after an APM Clients update.

7BIG-IP APM 15.1.2.1 includes the server fix but does not include the client fix. After upgrading or updating to BIG-IP 15.1.2.1, you must also update APM Clients to a version listed in the Fixes introduced in column and install the fix on the client side. To install the fix on the client side, you can setComponent UpdatetoYesin the affected Connectivity Profile OR redeploy and install the browserVPN helper application on all users’ client machines. For more information, refer to K81649656: Overview of APM Clients update on BIG-IP APM.