Home News Critical Pre-Auth RCE Flaw Found in F5 Big-IP Platform — Patch ASAP!

    Critical Pre-Auth RCE Flaw Found in F5 Big-IP Platform — Patch ASAP!


    Software safety firm F5 Networks on Wednesday revealed an advisory warning of 4 essential vulnerabilities impacting a number of merchandise that would lead to a denial of service (DoS) assault and even unauthenticated distant code execution on the right track networks.

    The patches concern a complete of seven associated flaws (from CVE-2021-22986 by CVE-2021-22992), two of which had been found and reported by Felix Wilhelm of Google Venture Zero in December 2020.

    The 4 essential flaws have an effect on BIG-IP variations 11.6 or 12.x and newer, with a essential pre-auth distant code execution (CVE-2021-22986) additionally affecting BIG-IQ variations 6.x and seven.x. F5 stated it isn’t conscious of any public exploitation of those points.

    Profitable exploitation of those vulnerabilities might result in a full compromise of weak programs, together with the opportunity of distant code execution in addition to set off a buffer overflow, resulting in a DoS assault.

    Urging clients to replace their BIG-IP and BIG-IQ deployments to a set model as quickly as doable, F5 Networks’ Kara Sprague said the “vulnerabilities had been found because of common and steady inner safety testing of our options and in partnership with revered third events working by F5’s safety program.”

    The vulnerabilities have been addressed within the following merchandise:

    • BIG-IP variations:,, 14.1.4,,, and
    • BIG-IQ variations: 8.0.0,, and seven.0.0.2

    Apart from these flaws, Wednesday’s patches additionally embrace fixes for 14 different unrelated safety points.

    The fixes are notable for the truth that it is the second time in as a few years that F5 has revealed flaws that would permit distant code execution.

    The newest replace to BIG-IP software program arrives lower than a 12 months after the corporate addressed a similar critical flaw (CVE-2020-5902) in early July 2020, with a number of hacking teams exploiting the bug to focus on unpatched gadgets, prompting the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to problem an alert cautioning of a “broad scanning exercise for the presence of this vulnerability throughout federal departments and companies.”

    “This bug might be going to fly underneath the radar, however it is a a lot larger deal than it seems as a result of it says one thing is admittedly actually damaged within the inner safety technique of F5 BIG-IP gadgets,” said Matt “Pwn all of the Issues” Tait in a tweet.

    Source link