Lucene search

K
f5F5F5:K02566623
HistoryMar 10, 2021 - 12:00 a.m.

K02566623 : Overview of F5 vulnerabilities (March 2021)

2021-03-1000:00:00
my.f5.com
15

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

10 High

AI Score

Confidence

Low

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

Security Advisory Description

On March 10th, 2021, F5 announced twenty-one (21) CVEs, including four Critical vulnerabilities. This document is intended to serve as an overview of these vulnerabilities to help determine the impact on your F5 devices. The details of each issue can be found in the associated Security Advisory.

You may also wish to review the Frequently Asked Questions documents:

The twenty-one (21) related vulnerabilities are as follows:

Critical CVEs

The iControl REST interface has an unauthenticated remote command execution vulnerability.

CVSS score: 9.8 (Critical)

When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.

CVSS score: 9.9 (Critical)

Undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE).

CVSS score: 9.0 (Critical)

A malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise.

CVSS score: 9.0 (Critical)

Because of the severity of the Critical vulnerabilities, F5 recommends that all customers install fixed software as soon as possible. All above vulnerabilities are fixed in the following BIG-IP versions: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3. CVE-2021-22986 is also fixed in BIG-IQ 8.0.0, 7.1.0.3, and 7.0.0.2.

High CVEs

TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.

CVSS score: 8.8 (High)

When running in Appliance mode with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.

CVSS score: 8.0 (High)

DOM-based XSS on DoS Profile properties page.

CVSS Score: 7.5 High

Undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role. This vulnerability is due to an incomplete fix for CVE-2020-5948.

CVSS Score: 7.5 High

BIG-IQ high availability (HA) when using a Quorum device for automatic failover does not implement any form of authentication with the Corosync daemon.

CVSS Score: 8.2 High

When set up for auto failover, a BIG-IQ Data Collection Device (DCD) cluster member that receives an undisclosed message may cause the corosync process to abort. This behavior may lead to a denial-of-service (DoS) and impact the stability of a BIG-IQ high availability (HA) cluster.

CVSS Score: 7.5 High

BIG-IQ HA ElasticSearch service does not implement any form of authentication for the clustering transport services, and all data used by ElasticSearch for transport is unencrypted.

CVSS Score: 8.6 High

Medium CVEs

On systems with Advanced WAF or BIG-IP ASM provisioned, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages.

CVSS Score: 6.6 Medium

SYN flood protection thresholds are not enforced in secure network address translation (SNAT) listeners.

CVSS Score: 5.3 Medium

The BIG-IP system provides an option to connect HTTP/2 clients to HTTP/1.x servers. When a client is slow to accept responses and it closes a connection prematurely, the BIG-IP system may indefinitely retain some streams unclosed.

CVSS Score: 5.9 Medium

If the tmm.http.rfc.enforcement BigDB key is enabled in a BIG-IP system, or the Bad host header value is checked in the AFM HTTP security profile associated with a virtual server, in rare instances, a specific sequence of malicious requests may cause TMM to restart.

CVSS Score: 5.9 Medium

The upload functionality in BIG-IP Advanced WAF and ASM allows an authenticated user to upload files to the BIG-IP system using a call to an undisclosed iControl REST endpoint.

CVSS Score: 4.3 Medium

The session ID is visible in the arguments of the f5vpn.exe command when VPN is launched from the browser on a Windows system. Addressing this issue requires both the client and server fixes.

CVSS Score: 6.1 Medium

The Traffic Management Microkernel (TMM) process may produce a core file when undisclosed MPTCP traffic passes through a standard virtual server.

CVSS Score: 5.9 Medium

Multipath TCP (MPTCP) forwarding flows may be created on standard virtual servers without MPTCP enabled in the applied TCP profile.

CVSS Score: 5.9 Medium

When using a Quorum device for BIG-IQ high availability (HA) for automatic failover, BIG-IQ does not make use of Transport Layer Security (TLS) with the Corosync protocol.

CVSS Score: 6.5 Medium

Undisclosed BIG-IQ pages have a reflected cross-site scripting vulnerability.

CVSS Score: 5.4 Medium

The following table provides key information for each vulnerability to assist in determining which are pertinent to your network.

CVE Severity CVSS score Affected products Affected versions Fixed versions Appliance mode / Non-Appliance mode4 Control plane / Data plane5
CVE-2021-22986 Critical 9.8 BIG-IP (All modules) 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2 16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31 Both Control plane – iControl REST
BIG-IQ 7.1.0-7.1.0.2
7.0.0-7.0.0.1
6.0.0-6.1.0 8.0.0
7.1.0.3
7.0.0.2 N/A Control plane – iControl REST
CVE-2021-22987 Critical 9.9 BIG-IP (All modules) 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2 16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31
11.6.5.3 Appliance mode Control plane - TMUI
CVE-2021-22991 Critical 9.0 BIG-IP (All Modules)3 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2 16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31 Both Data plane
CVE-2021-22992 Critical 9.0 BIG-IP Advanced WAF/ASM 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2 16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31
11.6.5.3 Both Data plane
CVE-2021-22988 High 8.8 BIG-IP (All Modules) 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2 16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31
11.6.5.3 Non-Appliance Mode Control plane - TMUI
CVE-2021-22989 High 8.0 BIG-IP Advanced WAF/ASM 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2 16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31
11.6.5.3 Appliance mode Control plane - TMUI
CVE-2021-22993 High 7.5 BIG-IP Advanced WAF/ASM 16.0.0-16.0.1
15.1.0-15.1.1
14.1.0-14.1.3
13.1.0-13.1.3.5
12.1.0-12.1.5.2 16.0.1.12
15.1.2
14.1.3.1
13.1.3.6
12.1.5.31 Both Control plane - TMUI
CVE-2021-22994 High 7.5 BIG-IP (All Modules) 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2 16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31
11.6.5.3 Non-Appliance Mode Control Plane – iControl REST
CVE-2021-22995 High 8.2 BIG-IQ 7.0.0-7.1.0
6.0.0-6.1.0 8.0.0 N/A Control Plane - BIG-IQ high availability
CVE-2021-22996 High 7.5 BIG-IQ 7.0.0-7.1.0 8.0.0 N/A Control Plane - BIG-IQ Data Collection
CVE-2021-22997 High 8.6 BIG-IQ 7.0.0-7.1.0
6.0.0-6.1.0 8.0.0 N/A Control Plane - BIG-IQ high availability
CVE-2021-22990 Medium 6.6 BIG-IP Advanced WAF/ASM 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2 16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31
11.6.5.3 Non-Appliance mode Control plane - TMUI
CVE-2021-22998 Medium 5.3 BIG-IP (All Modules) 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2 16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31
11.6.5.3 Both Data Plane - SNAT
CVE-2021-22999 Medium 5.9 BIG-IP (All Modules) 15.0.0-15.0.1
14.1.0-14.1.3 16.0.0
15.1.0
14.1.42 Both Data Plane – HTTP/2 Profile
CVE-2021-23000 Medium 5.9 BIG-IP (All Modules)
13.1.3.4-13.1.3.6
12.1.5.2 14.0.0
13.1.4
12.1.5.31 Both Data Plane – TMM
CVE-2021-23001 Medium 4.3 BIG-IP Advanced WAF/ASM 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3.1
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2 16.0.1.12
15.1.2.1
14.1.42
13.1.3.6
12.1.5.31
11.6.5.3 Both Control Plane – iControl REST
CVE-2021-23002 Medium 6.1 BIG-IP APM 16.0.0-16.0.1
15.1.0-15.1.2
14.1.0-14.1.3
13.1.0-13.1.3
12.1.0-12.1.5
11.6.1-11.6.5 16.0.1.12,6
15.1.2.16,7
14.1.42,6
13.1.3.66 Both Data Plane – APM VPN
BIG-IP APM Clients 7.2.1
7.1.9
7.1.5-7.1.8 7.2.1.1
7.1.9.8
7.1.8.5 N/A N/A
CVE-2021-23003 Medium 5.9 BIG-IP (All Modules) 16.0.0-16.0.1
15.1.0-15.1.1
14.1.0-14.1.3
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2 16.0.1.12
15.1.2
14.1.3.1
13.1.3.6
12.1.5.31
11.6.5.3 Both Data Plane – TCP Profile
CVE-2021-23004 Medium 5.9 BIG-IP (All Modules) 16.0.0-16.0.1
15.1.0-15.1.1
14.1.0-14.1.3
13.1.0-13.1.3.5
12.1.0-12.1.5.2
11.6.1-11.6.5.2 16.0.1.12
15.1.2
14.1.3.1
13.1.3.6
12.1.5.31
11.6.5.3 Both Data Plane – TCP Profile
CVE-2021-23005 Medium 6.5 BIG-IQ 7.0.0-7.1.0
6.0.0-6.1.0 8.0.0 N/A Control Plane - BIG-IQ high availability
CVE-2021-23006 Medium 5.4 BIG-IQ 7.0.0-7.1.0
6.0.0-6.1.0 8.0.0 N/A Control Plane - BIG-IQ REST services

1An issue with the bigdprocess has been discovered in version 12.1.5.3. For more information, refer to K50524736: Bigd process memory leak after updating to BIG-IP 12.1.5.3.

2An issue with the Traffic Management Microkernel (TMM) process has been discovered in versions 16.0.1.1 and 14.1.4. For more information, refer to K37451543: TMM vulnerability CVE-2021-23007.

3Specific functionality is affected, refer to K56715231: TMM Buffer Overflow vulnerability CVE-2021-22991.

4For information about Appliance mode, refer to K12815: Overview of Appliance mode.

5The data plane relates to traffic processing (TMM tasks) while the control plane relates to computing, storing, and processing information (non-TMM tasks).

6In BIG-IP APM 13.1.0 and later, the APM Clients components can be updated independently from BIG-IP software. For more information, refer to K52547540: Updating BIG-IP Edge Client for the BIG-IP APM system. Note also that when you upgrade or update to BIG-IP 13.1.3.6, 14.1.4, 15.1.2.1, or 16.0.1.1, VPN users may encounter issues described in the following articles: K39454429: Browser network access VPN clients fail to establish a VPN connection and K25173042: Browser network access VPN clients may not establish the first time after an APM Clients update.

7BIG-IP APM 15.1.2.1 includes the server fix but does not include the client fix. After upgrading or updating to BIG-IP 15.1.2.1, you must also update APM Clients to a version listed in the Fixes introduced in column and install the fix on the client side. To install the fix on the client side, you can setComponent UpdatetoYesin the affected Connectivity Profile OR redeploy and install the browserVPN helper application on all users’ client machines. For more information, refer to K81649656: Overview of APM Clients update on BIG-IP APM.

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

10 High

AI Score

Confidence

Low

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%