Home Internet Security F5 urges customers to patch 4 critical BIG-IP pre-auth RCE bugs

F5 urges customers to patch 4 critical BIG-IP pre-auth RCE bugs


F5 urges customers to patch 4 critical BIG-IP pre-auth RCE bugs

F5 Networks, a number one supplier of enterprise networking gear, has introduced 4 essential distant code execution (RCE) vulnerabilities affecting most BIG-IP and BIG-IQ software program variations.

F5 BIG-IP software program and {hardware} clients embrace governments, Fortune 500 corporations, banks, web service suppliers, and client manufacturers (together with Microsoft, Oracle, and Fb), with the corporate claiming that “48 of the Fortune 50 depend on F5.”

The 4 essential vulnerabilities listed beneath additionally embrace a pre-auth RCE safety flaw (CVE-2021-22986) which permits unauthenticated distant attackers to execute arbitrary instructions on compromised BIG-IP units:

At present, F5 printed safety advisories on three different RCE vulnerabilities (two excessive and one medium, with CVSS severity rankings between 6.6 and eight.8), permitting authenticated distant attackers to execute arbitrary system instructions.

Profitable exploitation of essential BIG-IP RCE vulnerabilities may result in full system compromise, together with the interception of controller software visitors and lateral motion to the interior community.

The seven vulnerabilities are mounted within the following BIG-IP variations:,, 14.1.4,,, and, in keeping with F5.

CVE-2021-22986, the pre-auth RCE flaw, additionally impacts BIG-IQ (a administration answer for BIG-IP units), and it was mounted in 8.0.0,, and seven.0.0.2.

We strongly encourage all clients to replace their BIG-IP and BIG-IQ techniques to a hard and fast model as quickly as doable,” F5 says in a notification printed earlier as we speak.

“To totally remediate the essential vulnerabilities, all BIG-IP clients might want to replace to a hard and fast model.”

F5 gives data on the right way to improve the software program operating in your BIG-IP home equipment with particulars on a number of improve situations on this BIG-IP upgrade guide.

BIG-IP RCE flaws beforehand exploited by state hackers

In July 2020, F5 patched a essential RCE vulnerability with a most 10/10 CVSSv3 ranking tracked as CVE-2020-5902 and affecting the Site visitors Administration Consumer Interface (TMUI) of BIG-IP ADC home equipment.

Much like the pre-auth RCE bug introduced as we speak, CVE-2020-5902 permits unauthenticated attackers to run arbitrary system instructions following profitable exploitation.

Dragos safety researchers reported in September that the Iranian-backed Pioneer Kitten hacking group started targeting enterprises that did not patch their BIG-IP units beginning with early-July 2020 after the flaw was introduced.

The malicious exercise revealed by Dragos lined up with an August FBI Private Industry Notification additionally warning of Iranian state hackers making an attempt to take advantage of susceptible Huge-IP ADC units since early July 2020.

CISA issued one other advisory relating to China-sponsored hackers targeting government agencies by searching down and attempting to hack F5, Microsoft Alternate, Citrix, Pulse Safe units and servers.

Enterprises with unpatched F5 BIG-IP ADCs face a good increased danger from financially motivated menace actors which may additionally deploy ransomware on compromised networks and steal credentials to entry different community units.

Source link