K96639388 : Overview of F5 vulnerabilities (April 2021)

Security Advisory Description

On April 28th, 2021, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. The details of each issue can be found in the associated Security Advisory.

High CVEs

• K51213246: BIG-IP APM AD Authentication vulnerability CVE-2021-23008

BIG-IP APM AD (Active Directory) authentication can be bypassed via a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection or from an AD server compromised by an attacker.

CVSS score: 8.1 (High)

• K90603426: TMM with HTTP/2 vulnerability CVE-2021-23009

Malformed HTTP/2 requests may cause an infinite loop which causes a Denial of Service for Data Plane traffic. TMM takes the configured HA action when the TMM process is aborted. There is no control plane exposure, this is a data plane issue only.

CVSS score: 7.5 (High)

• K18570111: BIG-IP ASM/Advanced WAF WebSocket vulnerability CVE-2021-23010

When the BIG-IP ASM/Advanced WAF system processes WebSocket requests with JSON payloads using the default JSON content profile in the ASM security policy, the BIG-IP ASM bd process may produce a core file.

CVSS score: 7.5 (High)

• K74151369: Appliance Mode authenticated iControl REST vulnerability CVE-2021-23015

When running in Appliance Mode, an authenticated user assigned the ‘Administrator’ role may be able to bypass Appliance Mode restrictions utilizing undisclosed iControl REST endpoints.

CVSS score: 8.7 (High)

Medium CVEs

• K10751325: TMM vulnerability CVE-2021-23011

When the BIG-IP system is buffering packet fragments for reassembly, the Traffic Management Microkernel (TMM) may consume an excessive amount of resources, eventually leading to a restart and failover event.

CVSS score: 5.9 (Medium)

• K04234247: Resource Administrator or Administrator role authenticated local command execution vulnerability CVE-2021-23012

Lack of input validation for items used in system support functionality may allow users granted either “Resource Administrator” or “Administrator” roles to execute arbitrary bash commands on BIG-IP.

CVSS score: 7.9/6.0 (High/Medium, depending on system configuration)

• K05300051: TMM SCTP vulnerability CVE-2021-23013

The Traffic Management Microkernel (TMM) may stop responding when processing Stream Control Transmission Protocol (SCTP) traffic under certain conditions. This vulnerability affects TMM by way of a virtual server configured with an SCTP profile.

CVSS score: 5.9 (Medium)

• K23203045: BIG-IP Advanced WAF and ASM REST API vulnerability CVE-2021-23014

BIG-IP Advanced WAF and ASM are missing authorization checks for file uploads to a specific directory within the REST API, which might allow authenticated users with guest privileges to upload files.

CVSS score: 4.3 (Medium)

• K75540265: BIG-IP APM ACL Bypass Vulnerability CVE-2021-23016

An attacker may be able to bypass APM’s internal restrictions and retrieve static content that is hosted within APM by sending specifically crafted requests to an APM Virtual Server.

CVSS score: 5.3 (Medium)

Security Exposures

• K91414704: BIG-IP Advanced WAF and ASM Brute Force Protection feature may not properly support the Post-Redirect-Get application flow

The Advanced WAF and BIG-IP ASM systems may not properly support the Post-Redirect-Get (PRG) application flow implemented on a back-end web server.

• K03544414: Running a CTU Diagnostics Report may leave elevated command prompt after report generation

Running a CTU Diagnostics Report may leave elevated command prompt after report generation.