{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2021-044.pdf" }, "title": "Critical Vulnerabilities Affecting F5 Devices", "serial_number": "2021-044", "publish_date": "27-08-2021 08:36:00", "description": "On the 24th or August 2021, F5 released several security advisories affecting multiple versions of BIG-IP and BIG-IQ devices. Among them, there is one critical vulnerability - CVE-2021-23031 - that is affecting BIG-IP Advanced Web Application Firewall and BIG-IP Application Security Manager. It allows an authenticated user to perform a privilege escalation.", "url_title": "2021-044", "content_markdown": "---\ntitle: 'Critical Vulnerabilities Affecting\u00a0F5\u00a0Devices'\nversion: '1.0'\nnumber: '2021-044'\ndate: 'August 27, 2021'\n---\n\n_History:_\n\n* _27/08/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn the 24th or August 2021, F5 released several security advisories affecting multiple versions of BIG-IP and BIG-IQ devices [1]. Among them, there is one **critical** vulnerability -- CVE-2021-23031 -- that is affecting BIG-IP Advanced Web Application Firewall and BIG-IP Application Security Manager. It allows an authenticated user to perform a privilege escalation [2].\n\n# Technical Details\n\nFrom the security advisory [1]:\n\n## CVE-2021-23031\n\n**BIG-IP Advanced WAF and BIG-IP ASM vulnerability (K41351250) - CVSS score: 8.8 (high) and 9.9 (Critical) for appliance mode only**\n\nWhen exploited, an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services. This vulnerability may result in complete system compromise.\n\n## CVE-2021-23025\n\n**BIG-IP TMUI vulnerability (K55543151) - CVSS score: 7.2 (High)**\n\nAn authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility.\n\n## CVE-2021-23026\n\n**BIG-IP TMUI vulnerability (K53854428) - CVSS score: 7.5 (High)**\n\nBIG-IP and BIG-IQ are\u00a0vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.\n\n## CVE-2021-23027\n\n**TMUI XSS vulnerability (K24301698) - CVSS score: 7.5 (High)**\n\nA\u00a0DOM based\u00a0cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.\n\n## CVE-2021-23028\n\n**BIG-IP Advanced WAF and ASM vulnerability (K00602225) - CVSS score: 7.5 (High)**\n\nWhen JSON content profiles are configured for URLs as part of an F5 Advanced Web Application Firewall (WAF)/BIG-IP ASM security policy and applied to a virtual server, undisclosed requests may cause the BIG-IP ASM bd process to terminate.\n\n## CVE-2021-23029\n\n**BIG-IP Advanced WAF and ASM TMUI vulnerability (K52420610) - CVSS score: 7.5 (High)**\n\nInsufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (SSRF) attacks through F5 Advanced Web Application Firewall (WAF) and the BIG-IP ASM Configuration utility.\n\n## CVE-2021-23030\n\n**BIG-IP Advanced WAF and ASM Websocket vulnerability (K42051445) - CVSS score: 7.5 (High)**\n\nWhen a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate.\n\n## CVE-2021-23032\n\n**BIG-IP DNS vulnerability (K45407662) - CVSS score: 7.5 (High)**\n\nWhen a BIG-IP DNS system is configured with non-default Wide IP and pool settings, undisclosed DNS responses can cause the\u00a0Traffic Management Microkernel (TMM) to terminate.\n\n## CVE-2021-23033\n\n**BIG-IP Advanced WAF and ASM Websocket vulnerability (K05314769) - CVSS score: 7.5 (High)**\n\nWhen a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate.\n\n## CVE-2021-23034\n\n**BIG-IP TMM vulnerability (K30523121) - CVSS score: 7.5 (High)**\n\nWhen a DNS profile using a DNS cache resolver is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate.\n\n## CVE-2021-23035\n\n**TMM vulnerability (K70415522) - CVSS score: 7.5 (High)**\n\nWhen an HTTP profile is configured on a virtual server, after a specific sequence of packets, chunked responses can cause the Traffic Management Microkernel (TMM) to terminate.\n\n## CVE-2021-23036\n\n**TMM vulnerability (K05043394) - CVSS score: 7.5 (High)**\n\nWhen a BIG-IP ASM and DataSafe profile are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.\n\n## CVE-2021-23037\n\n**TMUI XSS vulnerability (K21435974) - CVSS score: 7.5 (High)**\n\nA reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.\n\n# Affected Products\n\n* CVE-2021-23031 affects BIG-IP (Advanced WAF and ASM) before 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3\n\nFor the other CVEs please consult the table available on F5 advisory [1].\n\n# Recommendations\n\nApply the patches as soon as possible.\n\n# References\n\n[1] \n\n[2] \n", "content_html": "

History:

Summary

On the 24th or August 2021, F5 released several security advisories affecting multiple versions of BIG-IP and BIG-IQ devices [1]. Among them, there is one critical vulnerability -- CVE-2021-23031 -- that is affecting BIG-IP Advanced Web Application Firewall and BIG-IP Application Security Manager. It allows an authenticated user to perform a privilege escalation [2].

Technical Details

From the security advisory [1]:

CVE-2021-23031

BIG-IP Advanced WAF and BIG-IP ASM vulnerability (K41351250) - CVSS score: 8.8 (high) and 9.9 (Critical) for appliance mode only

When exploited, an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services. This vulnerability may result in complete system compromise.

CVE-2021-23025

BIG-IP TMUI vulnerability (K55543151) - CVSS score: 7.2 (High)

An authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility.

CVE-2021-23026

BIG-IP TMUI vulnerability (K53854428) - CVSS score: 7.5 (High)

BIG-IP and BIG-IQ are\u00a0vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.

CVE-2021-23027

TMUI XSS vulnerability (K24301698) - CVSS score: 7.5 (High)

A\u00a0DOM based\u00a0cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.

CVE-2021-23028

BIG-IP Advanced WAF and ASM vulnerability (K00602225) - CVSS score: 7.5 (High)

When JSON content profiles are configured for URLs as part of an F5 Advanced Web Application Firewall (WAF)/BIG-IP ASM security policy and applied to a virtual server, undisclosed requests may cause the BIG-IP ASM bd process to terminate.

CVE-2021-23029

BIG-IP Advanced WAF and ASM TMUI vulnerability (K52420610) - CVSS score: 7.5 (High)

Insufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (SSRF) attacks through F5 Advanced Web Application Firewall (WAF) and the BIG-IP ASM Configuration utility.

CVE-2021-23030

BIG-IP Advanced WAF and ASM Websocket vulnerability (K42051445) - CVSS score: 7.5 (High)

When a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate.

CVE-2021-23032

BIG-IP DNS vulnerability (K45407662) - CVSS score: 7.5 (High)

When a BIG-IP DNS system is configured with non-default Wide IP and pool settings, undisclosed DNS responses can cause the\u00a0Traffic Management Microkernel (TMM) to terminate.

CVE-2021-23033

BIG-IP Advanced WAF and ASM Websocket vulnerability (K05314769) - CVSS score: 7.5 (High)

When a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate.

CVE-2021-23034

BIG-IP TMM vulnerability (K30523121) - CVSS score: 7.5 (High)

When a DNS profile using a DNS cache resolver is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate.

CVE-2021-23035

TMM vulnerability (K70415522) - CVSS score: 7.5 (High)

When an HTTP profile is configured on a virtual server, after a specific sequence of packets, chunked responses can cause the Traffic Management Microkernel (TMM) to terminate.

CVE-2021-23036

TMM vulnerability (K05043394) - CVSS score: 7.5 (High)

When a BIG-IP ASM and DataSafe profile are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.

CVE-2021-23037

TMUI XSS vulnerability (K21435974) - CVSS score: 7.5 (High)

A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.

Affected Products

For the other CVEs please consult the table available on F5 advisory [1].

Recommendations

Apply the patches as soon as possible.

References

[1] https://support.f5.com/csp/article/K50974556

[2] https://support.f5.com/csp/article/K41351250

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }