F5, a provider of BIG-IP application services, has patched several high-severity vulnerabilities in its networking device, one of which is a critical severity flaw.
The vulnerabilities are part of a security update that was released earlier this month and fixed about 30 vulnerabilities across numerous F5 devices.
One of the thirteen high-severity vulnerabilities fixed becomes significant in a configuration “designed to meet the needs of customers in especially sensitive sectors” and might result in the entire system being compromised.
The CVE-2021-23031 vulnerability affects the Advanced WAF (Web Application Firewall) and Application Security Manager (ASM) components of BIG-IP, notably the Traffic Management User Interface (TMUI).
Normally, it’s an 8.8 severity privilege escalation that can be exploited by an authenticated attacker with access to the Configuration utility to perform arbitrary system commands, potentially leading to complete system compromise.
The same vulnerability has a critical rating of 9.9 out of 10 for consumers using the Appliance Mode, which has some technical restrictions.
F5’s security advisory for CVE-2021-23031 doesn’t go into great depth about why there are two severity ratings, but it does say that the critical variation of the bug affects a “limited number of customers” until they update or apply mitigations.
The only option to protect against possible exploitation for businesses that were unable to update their devices is to restrict access to the Configuration tool to only completely trusted users.
The remaining 12 high-severity security flaws that were fixed had severity scores ranging from 7.2 to 7.5. Six of them have an influence on all modules, five have an impact on Advanced WAF and ASM, and one has an impact on DNS.
Authenticated remote command execution, cross-site scripting (XSS), request forgery, insufficient permission, and denial-of-service are among the issues.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about F5’s security advisory, advising users and administrators to evaluate the company’s information and install any necessary software updates or mitigations.
You might also like: