Update March 25, 2021: CVE-2021-22986 is now being actively exploited in the wild by a range of malicious actors. Rapid7 has in-depth technical analysis on this vulnerability, including proof-of-concept code and information on indicators of compromise, available here.
On March 10, 2021, F5 disclosed eight vulnerabilities, four of which are deemed "critical", the most severe of which is CVE-2021-22986, an unauthenticated remote code execution weakness that enables remote attackers to execute arbitrary commands on compromised BIG-IP devices:
On March 18, 2021, NCC Group reported seeing in the wild exploitation attempts and they, along with other sources, expect that final development of a complete attack chain is imminent.
Given that a complete exploit chain will be available soon, we recommend patching F5 systems that expose the affected planes (see below) within the next 3–5 days and F5 systems that only expose affected planes internally within a 30-day patch window that hopefully started eight days ago, provided that your organization follows a typical 30-, 60-, 90-day prioritization scheme. If your organization does not have a defined patch cadence system, Rapid7 still recommends that you consider applying these internal system patches within the next 20 days.
iControl REST unauthenticated remote command execution vulnerability (CVSSv3 9.8).
An HTTP REST API endpoint exposed on the control plane of F5 devices has an unauthenticated remote code execution vulnerability, enabling attackers to execute arbitrary code/commands on compromised devices. This impacts BIG-IP systems 7.0.0, 7.1.0, 12.x, and later, as well as any BIG-IQ (F5 BIG-IP centralized management service) version regardless of configuration.
Traffic Management Microkernel (TMM) buffer-overflow vulnerability (CVSSv3 9.0).
The Traffic Management Microkernel (TMM), which handles requests to virtual servers on the data plane, improperly handles certain, undisclosed uniform resource identifiers (URIs). Malicious HTTP requests may cause a buffer overflow and result in a denial-of-service attack. You are vulnerable to exploits if any of the following configurations apply to your F5 deployments:
Furthermore, customers in the F5 "early access" program are also vulnerable if they are using the Advanced WAF Risk Engine.
The following commands can be run from a TMOS Shell (tmsh) and will return iRules / LTM policies that can be reviewed against example policies provided by F5 to determine whether your configurations are at risk:
tmsh -q -c "cd / ; list /ltm rule recursive" | egrep 'ltm rule|normalize' | grep -B1 normalize # iRules recursive query
tmsh -q -c "cd / ; list /ltm policy recursive" | egrep 'ltm policy|normalize' | grep -B1 normalize # LTM policies recursive query
Appliance Mode TMUI authenticated remote command execution vulnerability (CVSSv3 9.9).
If an F5 device is running in appliance mode, the Traffic Management User Interface (TMUI)/Configuration utility on the control plane has an authenticated remote code execution vulnerability in an unknown number of target URL paths, enabling attackers to execute arbitrary code/commands on compromised devices.
Advanced WAF/ASM buffer-overflow vulnerability (CVSSv3 9.0).
If an F5 Advanced WAF/BIG-IP ASM virtual server has a Login Page policy defined, malicious HTTP responses may cause a buffer overflow, resulting in a denial-of-service attack and possibly remote code execution. This vulnerability is exposed on thedata plane.
NOTE: Thedata planerefers to any traffic handled by a virtual server, SNAT, NAT, or other non-control-plane-traffic handler. Thecontrol plane refers to management-related services and traffic flowing to them, such as the Configuration utility (TMUI), iControl REST, and SSH, either through the management IP address or a self IP address exposing the HTTPS or SSH ports (usually 443 or 22).
A Project Zero report on CVE-2021-22992 posted by Felix Wilhelm notes that the vulnerable condition is triggered when BIG-IP systems have rules in place that process HTTP response headers (login pages are given as an example). The web application firewall does not process overlong HTTP response headers properly, and this can lead to a stack-based overflow.
This is not a trivial weakness to set up, and in many cases requires knowledge or control of back-end applications behind F5 systems. The researcher notes three scenarios where attackers may be able to gain more granular control over HTTP response headers:
The same researcher also posted a Project Zero report on CVE-2021-22991 noting a weakness in how IPv6 hostnames are processed. An example configuration and demonstration is provided there and reproduced below.
If there is an F5 iRule such as:
when HTTP_REQUEST {
log local0. "normalized: [HTTP::uri -normalized]"
log local0. "uri: [HTTP::uri]"
}
a malicious request of the form:
echo -e "GET h://[f] HTTP/1.1\r\n\r\n" | ncat --ssl 10.154.0.3 443
will result in uninitialized memory to /var/log/ltm
on the F5 host, which can lead to a direct crash Traffic Management Microkernel and, thus, a denial of service.
Exploitation is dependent on certain iRule configurations being in place, but attackers have plenty of time on their hands and an abundance of compromised hosts available to try many combinations of requests, and F5 systems are easily discoverable on the internet.
Until it is possible to install fixed versions, organizations can use the following F5 references as temporary mitigations for CVE-2021-22986 and CVE-2021-22987 to restrict access to iControl REST API endpoints:
We currently have coverage for the following CVEs:
We are investigating coverage for the remaining three CVEs affecting F5 Advanced WAF/BIG-IP ASM:
Get the latest stories, expertise, and news about security today.
Subscribe