Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
  • County:
  • Country:
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

F5 Releases Critical Security Patches for BIG-IP and BIG-IQ Devices

August 26, 2021

Enterprise safety and community equipment vendor F5 has launched patches for greater than two dozen security vulnerabilities affecting a number of variations of BIG-IP and BIG-IQ gadgets that would probably permit an attacker to carry out a variety of malicious actions, together with accessing arbitrary recordsdata, escalating privileges, and executing JavaScript code.

Of the 29 bugs addressed, 13 are high-severity flaws, 15 are rated medium, and one is rated low in severity.

Chief amongst them is CVE-2021-23031 (CVSS rating: 8.8), a vulnerability affecting BIG-IP Superior Net Utility Firewall and BIG-IP Utility Safety Supervisor that enables an authenticated person to carry out a privilege escalation.

Stack Overflow Teams

“When this vulnerability is exploited, an authenticated attacker with entry to the Configuration utility can execute arbitrary system instructions, create or delete recordsdata, and/or disable companies. This vulnerability could lead to full system compromise,” F5 stated in its advisory.

It is value noting that for purchasers operating the gadget in Appliance Mode, which applies further technical restrictions in delicate sectors, the identical vulnerability comes with a vital score of 9.9 out of 10. “As this assault is carried out by professional, authenticated customers, there is no such thing as a viable mitigation that additionally permits customers entry to the Configuration utility. The one mitigation is to take away entry for customers who are usually not fully trusted,” the corporate stated.

The opposite main vulnerabilities resolved by F5 are listed under –

  • CVE-2021-23025 (CVSS rating: 7.2) – Authenticated distant command execution vulnerability in BIG-IP Configuration utility
  • CVE-2021-23026 (CVSS rating: 7.5) – Cross-site request forgery (CSRF) vulnerability in iControl SOAP
  • CVE-2021-23027 and CVE-2021-23037 (CVSS rating: 7.5) – TMUI DOM-based and mirrored cross-site scripting (XSS) vulnerabilities
  • CVE-2021-23028 (CVSS rating: 7.5) – BIG-IP Superior WAF and ASM vulnerability
  • CVE-2021-23029 (CVSS rating: 7.5) – BIG-IP Superior WAF and ASM TMUI vulnerability
  • CVE-2021-23030 and CVE-2021-23033 (CVSS rating: 7.5) – BIG-IP Superior WAF and ASM Websocket vulnerabilities
  • CVE-2021-23032 (CVSS rating: 7.5) – BIG-IP DNS vulnerability
  • CVE-2021-23034, CVE-2021-23035, and CVE-2021-23036 (CVSS rating: 7.5) – Site visitors Administration Microkernel vulnerabilities

Moreover, F5 has additionally patched plenty of flaws that vary from listing traversal vulnerability and SQL injection to open redirect vulnerability and cross-site request forgery, in addition to a MySQL database flaw that leads to the database consuming extra space for storing than anticipated when brute-force safety options of the firewall are enabled.

Prevent Data Breaches

With F5 gadgets usually turning into juicy targets for energetic exploitation makes an attempt by menace actors, it is extremely advisable that customers and directors set up up to date software program or apply the mandatory mitigations as quickly as attainable.

Posted in SecurityTags:
Write a comment