F5 Networks, a leading provider of enterprise networking gear, has announced four critical remote code execution (RCE) vulnerabilities affecting most BIG-IP and BIG-IQ software versions.
F5 BIG-IP software and hardware customers include governments, Fortune 500 firms, banks, internet service providers, and consumer brands (including Microsoft, Oracle, and Facebook), with the company claiming that “48 of the Fortune 50 rely on F5.”
The four critical vulnerabilities listed below also include a pre-auth RCE security flaw (CVE-2021-22986) which allows unauthenticated remote attackers to execute arbitrary commands on compromised BIG-IP devices:
Also Read: What You Should Know About The Data Protection Obligation Singapore
Today, F5 published security advisories on three other RCE vulnerabilities (two high and one medium, with CVSS severity ratings between 6.6 and 8.8), allowing authenticated remote attackers to execute arbitrary system commands.
Successful exploitation of critical BIG-IP RCE vulnerabilities could lead to full system compromise, including the interception of controller application traffic and lateral movement to the internal network.
The seven vulnerabilities are fixed in the following BIG-IP versions: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3, according to F5.
CVE-2021-22986, the pre-auth RCE flaw, also affects BIG-IQ (a management solution for BIG-IP devices), and it was fixed in 8.0.0, 7.1.0.3, and 7.0.0.2.
“We strongly encourage all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible,” F5 says in a notification published earlier today.
“To fully remediate the critical vulnerabilities, all BIG-IP customers will need to update to a fixed version.”
F5 provides information on how to upgrade the software running on your BIG-IP appliances with details on multiple upgrade scenarios in this BIG-IP upgrade guide.
In July 2020, F5 patched a critical RCE vulnerability with a maximum 10/10 CVSSv3 rating tracked as CVE-2020-5902 and affecting the Traffic Management User Interface (TMUI) of BIG-IP ADC appliances.
Similar to the pre-auth RCE bug announced today, CVE-2020-5902 allows unauthenticated attackers to run arbitrary system commands following successful exploitation.
Dragos security researchers reported in September that the Iranian-backed Pioneer Kitten hacking group started targeting enterprises that didn’t patch their BIG-IP devices starting with early-July 2020 after the flaw was announced.
Also Read: The Difference Between GDPR And PDPA Under 10 Key Issues
The malicious activity revealed by Dragos lined up with an August FBI Private Industry Notification also warning of Iranian state hackers attempting to exploit vulnerable Big-IP ADC devices since early July 2020.
CISA issued another advisory regarding China-sponsored hackers targeting government agencies by hunting down and trying to hack F5, Microsoft Exchange, Citrix, Pulse Secure devices and servers.
Enterprises with unpatched F5 BIG-IP ADCs face an even higher risk from financially motivated threat actors that might also deploy ransomware on compromised networks and steal credentials to access other network devices.
Role of Enhanced Access Controls in Safeguarding Personal Data in Telecommunications that every Organisation in…
Effective Incident Response Procedures in Strengthening Data Security that every Organisation in Singapore should know…
Crucial Role of Regular Vulnerability Scanning that every Organisation in Singapore should know. Strengthening Your…
Enhancing Data Security with Multi-Factor Authentication that every Organisation in Singapore should know. Enhancing Data…
Strong Password Policy as a first line of defense against data breaches for Organisations in…
Importance of Efficient Access Controls that every Organisation in Singapore should take note of. Enhancing…
This website uses cookies.
