Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Critical Pre-Auth RCE Flaw Found in F5 Big-IP Platform — Patch ASAP!

March 11, 2021

Utility safety firm F5 Networks on Wednesday printed an advisory warning of 4 vital vulnerabilities impacting a number of merchandise that would end in a denial of service (DoS) assault and even unauthenticated distant code execution heading in the right direction networks.

The patches concern a complete of seven associated flaws (from CVE-2021-22986 by way of CVE-2021-22992), two of which have been found and reported by Felix Wilhelm of Google Undertaking Zero in December 2020.

The 4 vital flaws have an effect on BIG-IP variations 11.6 or 12.x and newer, with a vital pre-auth distant code execution (CVE-2021-22986) additionally affecting BIG-IQ variations 6.x and seven.x. F5 stated it is not conscious of any public exploitation of those points.

Profitable exploitation of those vulnerabilities may result in a full compromise of weak techniques, together with the opportunity of distant code execution in addition to set off a buffer overflow, resulting in a DoS assault.

Urging clients to replace their BIG-IP and BIG-IQ deployments to a set model as quickly as doable, F5 Networks’ Kara Sprague said the “vulnerabilities have been found because of common and steady inner safety testing of our options and in partnership with revered third events working by way of F5’s safety program.”

The vulnerabilities have been addressed within the following merchandise:

  • BIG-IP variations:,, 14.1.4,,, and
  • BIG-IQ variations: 8.0.0,, and seven.0.0.2

Moreover these flaws, Wednesday’s patches additionally embody fixes for 14 different unrelated safety points.

The fixes are notable for the truth that it is the second time in as a few years that F5 has revealed flaws that would permit distant code execution.

The newest replace to BIG-IP software program arrives lower than a yr after the corporate addressed a similar critical flaw (CVE-2020-5902) in early July 2020, with a number of hacking teams exploiting the bug to focus on unpatched units, prompting the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to challenge an alert cautioning of a “broad scanning exercise for the presence of this vulnerability throughout federal departments and companies.”

“This bug might be going to fly underneath the radar, however this can be a a lot greater deal than it seems to be as a result of it says one thing is de facto actually damaged within the inner safety strategy of F5 BIG-IP units,” said Matt “Pwn all of the Issues” Tait in a tweet.

Posted in SecurityTags:
Write a comment