The vendor into application delivery and networking firm F5 released a baker’s dozen of 13 fixes for high-severity bugs, including one that could lead to complete system takeover and hence is boosted to “critical” for customers that run BIG-IP in Appliance Mode, given that an attacker that holds valid credentials can bypass Appliance Mode restrictions.
F5 – maker of near-ubiquitously installed enterprise networking gear – released nearly 30 vulnerabilities for multiple devices in its August security updates.
The worst of the bunch is tracked as CVE-2021-23031 and affects BIG-IP modules Advanced WAF (Web Application Firewall) and the Application Security Manager (ASM) – specifically, the Traffic Management User Interface (TMUI).
F5 said that when the vulnerability is exploited, “an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services,” potentially leading to “complete system compromise.”
CVE-2021-23031 normally entails a high rating of 8.8 severity, but that gets jacked up to 9.9 for just those customers that are using Appliance mode. The Appliance mode adds technical restrictions and is designed to meet the needs of customers in “especially sensitive sectors” by “limiting the BIG-IP system administrative access to match that of a typical network appliance and not a multi-user UNIX device.”
F5 lists a number of products that contain the affected code but aren’t vulnerable, given that attackers can’t exploit the code in default, standard or recommended configurations. F5 noted that there are a limited number of customers using it in the mode – i.e., Appliance mode – that elevates the vulnerability’s CVSSv3 severity score to 9.9 (critical).
F5 said that there’s “no viable mitigation” that also allows users access to the Configuration utility, given that this attack can be pulled off by legitimate, authenticated users. The only way to mitigate is to pull the access of any users who aren’t “completely trusted,” according to the advisory.
Customers who can’t install a fixed version right off the bat can use the following temporary mitigations, which restrict access to the Configuration utility to only trusted networks or devices and thereby limit the attack surface:
Block Configuration utility access through self IP addresses
Block Configuration utility access through the management interface
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
