More Critical RCE’s, Assessing the Impact of F5 Vulnerabilities
What is the issue?
On March 10, 2021, a security advisory was released by F5 including 7 vulnerabilities, 4 of which are critical remote code execution vulnerabilities impacting all BIG-IP modules and a significant number of BIG-IQ products.
- CVE-2021-22986 (Critical)
- CVE-2021-22987 (Critical)
- CVE-2021-22991 (Critical)
- CVE-2021-22992 (Critical)
- CVE-2021-22988 (High)
- CVE-2021-22989 (High)
- CVE-2021-22990 (Medium)
On March 10, 2021, Censys identified 440,882 distinct hosts running BIG-IP products around the globe, indicating significant potential impact of the vulnerabilities. The highest number of hosts were found in the United States (239,834), more than the other top 10 countries combined.
Why does it matter?
BIG-IP devices typically sit between the soft internal corporate network and the crunchy hard shell that organizations surround themselves with – this could be firewalls, proxy services, DNS services, etc. While most of these exploits require local access to the management interface on these devices, there is one exploit that appears to be externally exploitable. Once exploited, the compromised device becomes a jumping-off point for network infiltration. An attacker could stage further attacks inside the network from this device resulting in persistence for the attacker and a high potential for breach.
We took a random sampling of U.S. based hosts running BIG-IP products and found the following breakdown by industry. Top industries in the U.S. include:
- Software & Computer Services (e.g. web email providers, other online services)
- Education Services (e.g., academic institutions, community colleges)
- Healthcare Equipment and Services (e.g. hospitals, medical device companies)
- Financial Services (e.g., investment companies)
- Government Agencies
F5 encourages all users to update as quickly as possible. If any of these CVEs are successfully exploited, the compromised device becomes a path for network infiltration. As already mentioned, an attacker could stage further attacks inside the network from this device resulting in persistence for the attacker and a high potential for breach.
What do I do about it?
Identify your potentially vulnerable versions of BIG-IP and BIG-IQ products and update those services in accordance with F5 guidance. If you suspect one of your devices has been compromised or are beginning an investigation to search for potential compromise, F5 has provided IoCs and guidance here.
To find your assets, you can easily leverage Censys Search with a free account. If you know the IP ranges of your Internet assets, you can use this query to find assets with BIG-IP products. Replace “ORG-IP” and “MASK” with your organization’s IP ranges and netmasks.
bigip and (ORG-IP/MASK OR ORG-IP/MASK)
All Censys ASM customers have already been notified of specific ways to search for BIG-IP products in their environment and can follow this link for the filter in the Censys ASM Platform.
- F5 Critical Vulnerabilities Advisory: https://support.f5.com/csp/article/K02566623
- F5 Considerations and Guidance if Suspected Compromise: https://support.f5.com/csp/article/K11438344
- CISA Advisory: https://us-cert.cisa.gov/ncas/current-activity/2021/03/10/f5-security-advisory-rce-vulnerabilities-big-ip-big-iq