Overview
Multiple vulnerabilities have been discovered in F5 products, the most severe of which could allow for remote code execution.
BIG-IP and BIG-IP Advanced WAF/ASM are a family of products covering software and hardware designed around application availability, access control, and security solutions.
BIG-IQ enables administrators to centrally manage BIG-IP infrastructure across the IT landscape. It discovers, tracks, manages, and monitors physical and virtual BIG-IP devices - in the cloud, on premise, or co-located at your preferred datacenter.
Successful exploitation of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
The 2 most critical vulnerabilities allow a remote attacker with access to the user interface (or REST API via the user interface) to gain full control of the system and execute arbitrary system commands, create, or delete files, and disable services. The most critical is unauthenticated. Exploitation can lead to complete system compromise. The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged companies using BIG-IP and BIG-IQ to fix the critical F5 flaws.
https://support.f5.com/csp/article/K18132488
https://support.f5.com/csp/article/K03009991
Background
These are “in the wild” vulnerabilities for existing software - refer to versions listed by F5 to see if you are impacted based on the versions you may be running. Details for the 2 most critical vulnerabilities can be found in the big tables on these articles:
F5 Announcement
On March 10, F5 announced several vulnerabilities and strongly urged customers to upgrade:
https://www.f5.com/services/support/March2021_Vulnerabilities
Recommendation
We recommend the following actions be taken:
Apply appropriate patches or appropriate mitigations provided by F5 to vulnerable systems immediately after appropriate testing.
Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack.
Apply the Principle of Least Privilege to all systems and services.
Latest Development
On March 20, multiple stories reported the F5 vulnerabilities under “active attack”.
For this our any other cybersecurity concerns please feel to reach out to us at Get Started!