On a scale of one to ten, these F5 security problems score 9.9

By Eric Johansson

The US federal government has urged organisations using solutions from vendor F5 Networks to patch their software or run the risk of hacks with serious consequences.

The US Cybersecurity & Infrastructure Security Agency (CISA) said that remote-code execution (RCE) vulnerabilities exist in unpatched BIG-IP and BIG-IQ devices, and “an attacker could exploit these vulnerabilities to take control of an affected system”. CISA underlined the danger by encouraging users to “install updated software as soon as possible.”

F5 Networks services more than 25,000 businesses around the world and lists 48 out of the Fortune 50 among its clients, including Facebook, Microsoft and Oracle. Its BIG-IP products are focused on traffic handling and load balancing, and BIG-IQ is used to manage and monitor BIG-IP kit.

Seattle-headquartered F5 issued a security advisory setting out the problems and how to rectify them. The vendor said the discovered vulnerabilities could be used by cybercriminals to launch remote code execution (RCE) attacks. Successful RCE attacks enable outsiders to gain access to systems and, by extension, to install malicious code of their own, as a variety of bad actors did after exploiting similar vulnerabilities in the recent/ongoing SolarWinds and Exchange breaches.

The discovered weaknesses relate to BIG-IP versions 11.6 or 12.x and newer, and BIG-IQ versions 6.x and 7.x.

F5’s team discovered seven vulnerabilities that cybercriminals could exploit in total. The most severe of these has been given the designation CVE-2021-22987 and a Common Vulnerability Scoring System (CVSS) score of 9.9. The CVSS scale goes from zero to 10.

“This vulnerability allows authenticated users with network access to the Configuration utility, through the BIG-IP management port, or self IP addresses, to execute arbitrary system commands, create or delete files, or disable services,” F5 said. “This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise and breakout of Appliance mode.”

The other six weaknesses in their systems involve similar dangers of being used in RCE attacks. The other F5 system weaknesses range from 6.6 to 9.8. Four out of these vulnerabilities were classified as critical. One of the seven vulnerabilities with the catchy name CVE-2021-22991 could also be used by hackers to launch denial of service attacks, exposing users to the risk of ransomware attacks.

“The bottom line is that they affect all BIG-IP and BIG-IQ customers and instances  – we urge all customers to update their BIG-IP and BIG-IQ deployments to the fixed versions as soon as possible,” said Kara Sprague, senior vice president and general manager of F5’s application delivery controller unit.

The news comes after F5 recently acquired multi-cloud startup Volterra in a $500m deal.


Read more: Kremlin gremlins: Did Russia bungle its Twitter hit … or did someone help?