Threat Response: F5 – Multiple critical vulnerabilities in several products
On 11 March 2021 F5 released a large number (21) of vulnerabilities for BIG-IP and BIG-IQ. This includes remote code execution (RCE) vulnerabilities with which attackers can remotely execute arbitrary code on vulnerable systems. Yesterday (16 March 2021) the Dutch National Cyber Security Centrum (NCSC) increased the probability of abuse for these vulnerabilities from medium to high due to the release of a proof-of-concept (PoC) exploit . Because of the increased risk and the high impact that compromise of these vulnerable systems can have on an organisation, we inform you with this message.
What should you do?
If your infrastructure contains any of the affected F5 systems, Northwave strongly recommends updating them as soon as possible. A complete list of affected systems and versions is available on the F5 Knowledge base .
F5 has mitigated multiple vulnerabilities in the BIG-IP product line. The vulnerabilities enable a (possibly unauthenticated) malicious user to remotely attack the systems, causing the following categories of damage:
- (Remote) code execution (Administrator/Root rights)
- Cross-Site Scripting (XSS)
- Denial-of-Service (DoS)
- Bypass of security measures
Source: NCSC 
These vulnerabilities can be used to obtain full control over vulnerable BIG-IP systems or to cause denial of service (DoS). The vulnerable systems of F5 are usually located at strategically important locations in the network, which means that compromise by an attacker can lead to unavailability of the network, leakage of sensitive data or further compromise of the environment. Therefore, Northwave classifies the impact of the vulnerabilities as high.
The NCSC describes  the properties of the various vulnerabilities as follows:
The vulnerabilities with codes CVE-2021-22986, CVE-2021-22987, CVE-2021-22988, CVE-2021-22991 and CVE-2021-22992 have a CVSS3.1-score of at least 8.8. Each of these five vulnerabilities enable a (possibly unauthenticated) malicious user to remotely execute commands or code on vulnerable systems.
The vulnerability with code CVE-2021-22986 enables unauthenticated execution of commands through the iControl REST API and has a CVSS-score of 9.8.
The vulnerability with code CVE-2021-22992 has a CVSS-score of 9.0 and concerns a buffer-overflow in Advanced WAF/ASM virtual servers. This vulnerability could possibly be abused remotely and without authentication to cause a DoS. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE).
The vulnerability with the highest CVSS-score of 9.9 is CVE-2021-22987. This vulnerability enables an authenticated malicious user to execute arbitrary commands on the Traffic Management User Interface (TMUI) if this system runs in “Appliance mode”.
At the point of writing no complete exploits are available, however there is proof-of-concept (PoC) code available for exploiting CVE-2021-22991 on the Data Plane. The expectation is that these vulnerabilities will be actively exploited on the short term. Therefore, Northwave estimates the risk of an attack to be high.
F5 has released updates to mitigate these vulnerabilities in BIG-IP. For multiple versions security patches are available. See the article of F5  for a complete list of all vulnerabilities, vulnerable systems and patched versions.
What will Northwave do?
Northwave is investigating the possibilities for monitoring exploitation attempts of this vulnerability and will implement detection rules when possible.
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information, you can call us by phone or send us an email.
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)
Disclaimer applies, see below.
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.