Critical Vulnerabilities in F5 BIG-IP, BIG-IQ Enable Remote Code Execution on Vulnerable Systems

On March 10, 2021, F5 addressed a set of critical security issues which might be leveraged by remote attackers to obtain full control over the vulnerable hosts. According to the vendor, four critical bugs exist in its BIG-IP and BIG-IQ products, enabling remote code execution (RCE) on the affected instances. The existence of security holes might have devastating consequences since 48 out of Fortune 50 companies rely on F5’s enterprise networking infrastructure products. This list includes renowned tech vendors, government agencies, healthcare providers, financial institutions, and telecom firms.

Critical Vulnerabilities in F5 BIG-IP, BIG-IQ

The most urgent and nasty flaws are CVE-2021-22986 and CVE-2021-22987, which were assigned CVSS severity scores of 9.8 and 9.9, respectively. The first issue (CVE-2021-22986) is an unauthenticated remote command execution vulnerability residing in the iControl REST interface. It allows hackers to run arbitrary system commands, create/delete files, and manage system services. The second bug (CVE-2021-22987) derives from a misconfiguration in the Traffic Management User Interface (TMUI) and results in authenticated RCE in undisclosed pages if running in application mode.

The remaining two F5 BIG-IP and BIG-IQ critical bugs (CVE-2021-22991, CVE-2021-22992) are buffer overflow issues stemming from Traffic Management Microkernel (TMM) and Advanced WAF/ASM virtual servers. Both flaws received CVSS 9.0 severity score, enabling remote code execution and denial-of-service (DoS) on the impacted installations.

Alongside critical security issues, F5 patched two high-severity (CVE-2021-22988, CVE-2021-22989) and one medium-severity (CVE-2021-2290) bugs also resulting in remote code execution.

Detection and Mitigation

According to the F5 advisory,  the four critical holes affect BIG-IP versions 11.6 or 12.x and newer, with one of them also affecting BIG-IQ versions 6.x and 7.x. The security patch for the issues has been released this week, so users are urged to update promptly.

To detect possible exploitation attempts and enable proactive defense against the intrusions, SOC Prime Team released a set of Sigma rules available at Threat Detection Marketplace.

Possible F5 CVE-2021-22991 (via Zeek)

Possible F5 CVE-2021-22992 (via web)

Stay tuned to our blog not to miss further updates and new detections related to these dangerous flaws. All the fresh information and the upcoming Sigma rules would be added to this article.

F5 is the second world-leading company urgently patching extremely dangerous flaws in its products. At the beginning of March 2021, Microsoft addresses several zero-day vulnerabilities affecting its Exchange Server. The flaws have been immediately exploited in the wild by multiple threat actors, including China-affiliated Hafnium APT. SOC Prime Team released a set of Sigma rules to enable quick detection and proactive defense against these zero-day issues. The list of detections is available in our dedicated blog post. Additionally, rules were added to Uncoder.io, SOC Prime’s tool to convert Sigma rule format into threat detection content tailored to the security platform in use.

Subscribe to Threat Detection Marketplace, the industry-first Content-as-a-Service (CaaS) and Detection as Code platform that aggregates the world’s largest library of detection and response rules, parsers, search queries, and other curated SOC content. Over 300 contributors enrich our global library each day to enable continuous detection of the most alarming cyber threats at the earliest stages of the attack lifecycle. Want to participate in these threat hunting activities? Join SOC Prime’s Threat Bounty Program for a safer future!