Home News F5 Releases Critical Security Patches for BIG-IP and BIG-IQ Devices

    F5 Releases Critical Security Patches for BIG-IP and BIG-IQ Devices


    Enterprise safety and community equipment vendor F5 has launched patches for greater than two dozen security vulnerabilities affecting a number of variations of BIG-IP and BIG-IQ units that might doubtlessly permit an attacker to carry out a variety of malicious actions, together with accessing arbitrary recordsdata, escalating privileges, and executing JavaScript code.

    Of the 29 bugs addressed, 13 are high-severity flaws, 15 are rated medium, and one is rated low in severity.

    Chief amongst them is CVE-2021-23031 (CVSS rating: 8.8), a vulnerability affecting BIG-IP Superior Internet Software Firewall and BIG-IP Software Safety Supervisor that permits an authenticated consumer to carry out a privilege escalation.

    Stack Overflow Teams

    “When this vulnerability is exploited, an authenticated attacker with entry to the Configuration utility can execute arbitrary system instructions, create or delete recordsdata, and/or disable providers. This vulnerability could end in full system compromise,” F5 stated in its advisory.

    It is price noting that for patrons operating the gadget in Appliance Mode, which applies extra technical restrictions in delicate sectors, the identical vulnerability comes with a crucial score of 9.9 out of 10. “As this assault is carried out by official, authenticated customers, there is no such thing as a viable mitigation that additionally permits customers entry to the Configuration utility. The one mitigation is to take away entry for customers who aren’t utterly trusted,” the corporate stated.

    The opposite main vulnerabilities resolved by F5 are listed under –

    • CVE-2021-23025 (CVSS rating: 7.2) – Authenticated distant command execution vulnerability in BIG-IP Configuration utility
    • CVE-2021-23026 (CVSS rating: 7.5) – Cross-site request forgery (CSRF) vulnerability in iControl SOAP
    • CVE-2021-23027 and CVE-2021-23037 (CVSS rating: 7.5) – TMUI DOM-based and mirrored cross-site scripting (XSS) vulnerabilities
    • CVE-2021-23028 (CVSS rating: 7.5) – BIG-IP Superior WAF and ASM vulnerability
    • CVE-2021-23029 (CVSS rating: 7.5) – BIG-IP Superior WAF and ASM TMUI vulnerability
    • CVE-2021-23030 and CVE-2021-23033 (CVSS rating: 7.5) – BIG-IP Superior WAF and ASM Websocket vulnerabilities
    • CVE-2021-23032 (CVSS rating: 7.5) – BIG-IP DNS vulnerability
    • CVE-2021-23034, CVE-2021-23035, and CVE-2021-23036 (CVSS rating: 7.5) – Site visitors Administration Microkernel vulnerabilities

    Moreover, F5 has additionally patched various flaws that vary from listing traversal vulnerability and SQL injection to open redirect vulnerability and cross-site request forgery, in addition to a MySQL database flaw that leads to the database consuming extra cupboard space than anticipated when brute-force safety options of the firewall are enabled.

    Prevent Ransomware Attacks

    With F5 units typically turning into juicy targets for lively exploitation makes an attempt by risk actors, it is extremely advisable that customers and directors set up up to date software program or apply the mandatory mitigations as quickly as potential.

    Source link