Threat Research

Defending Against Critical F5 Vulnerabilities

By FortiGuard Labs | March 23, 2021

FortiGuard Labs Threat Update

FortiGuard Labs has been actively monitoring efforts by attackers around the world to scan for and locate devices vulnerable to recently revealed flaws in the F5 BIG-IP/BIG-IQ family of application availability, access control, and security solutions. In addition, we have identified multiple instances of new proof of concept code being posted to known sites that could be used to exploit these vulnerabilities, further demonstrating the need to apply patches quickly.

F5 BIG-IP is an application delivery controller (ADC) used for load balancing and facilitating the movement of web traffic to its destination, and BIG-IQ provides centralized management to analyze the health, performance, and availability of the F5 application delivery and security portfolio.

Twenty-one vulnerabilities were identified in the March 10, 2021 Security Advisory. Of those, the following four vulnerabilities were identified by F5 as Critical:

CVE-2021-22987 (CRITICAL Severity - CVSS score: 9.9)
CVE-2021-22986 (CRITICAL Severity - CVSS score: 9.8)
CVE-2021-22991 (HIGH Severity - CVSS score: 9.0)
CVE-2021-22992 (HIGH Severity - CVSS score: 9.0)

Technical Details Around F5 Vulnerabilities

As of now, only CVE-2021-22986 has been identified as being actively exploited in the wild. However, this may change given the number of new POCs currently being posted.

Here is a basic technical overview for each of the four most critical vulnerabilities:

CVE-2021-22986 (iControl REST unauthenticated remote command execution vulnerability)

This vulnerability allows an unauthenticated user to perform remote command execution to a vulnerable appliance. An unauthenticated attacker can execute arbitrary system commands, create or delete files, and disable services which ultimately can lead to full system compromise. Ultimately, unpatched systems are susceptible to full control of an attacker. Compromise of this appliance can allow an attacker to not only have full control of the appliance, but to use the vulnerability as a foothold for later access, allowing the threat actor to cause further damage, such as the exfiltration of credentials, disruption of services, and ultimately the delivery of malware to vulnerable machines on the victim network such as, but not limited to, ransomware via command execution.

CVE-2021-22987 (Appliance mode TMUI authenticated remote command execution vulnerability)

This vulnerability allows authenticated users with network access to the Configuration utility, through the BIG-IP management port, or self IP addresses, to execute arbitrary system commands, create or delete files, or disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise and breakout of Appliance mode.

CVE-2021-22991 (TMM buffer-overflow vulnerability)

This buffer overflow vulnerability exists in the Traffic Management Microkernel (TMM), where undisclosed requests to a virtual server may be incorrectly handled. This can lead to a buffer-overflow that can result in a DoS attack.

CVE-2021-22992 (Advanced WAF/ASM buffer-overflow vulnerability)

A malicious HTTP response to an Advanced WAF/ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise.

Advisories on F5

CISA Notification

The U.S. Cybersecurity and Infrastructure Agency (CISA) is urging organizations with BIG-IP and BIG-IQ deployments to immediately address the vulnerabilities found in CVE-2021-22986 and CVE-2021-22987.

F5 Remediations

F5 recommends that all customers apply all available patches from the March 2021 update immediately. Patches were released for all 21 vulnerabilities on March 10, 2021. Additional information was issued by F5 on March 17, 2021.

Fortinet Protections

FortiGate IPS

Customers running current (IPS) definitions are protected by the following:

CVE-2021-22986 – "F5.iControl.REST.Interface.Remote.Command.Execution"
CVE-2021-22991 – "F5.BIG.IP.TMM.URI.Normalization.Buffer.Overflow"
CVE-2021-22992 – "F5.BIG.IP.ASM.HTTP.Response.Header.Buffer.Overflow"
CVE-2021-22987 –  Coverage for CVE-2021-22987 was deemed not feasible at this time due to lack of detail. Regarding mitigation for this specific vulnerability, please visit the vendor bulletin titled "K04532512: Frequently asked questions for CVE-2021-22986, CVE-2021-22987, CVE-2021-22988, CVE-2021-22989, and CVE-2021-22990.”

F5 recommends the following temporary mitigations for any CVE unable to be patched:

Block iControl REST access through the self IP address
Block iControl REST access through the management interface

FortiGuard Labs

The potential for damage to daily operations and reputation, along with the potential for the unwanted release of data and the disruption of business operations is high. Because of this, it is critical that Fortinet customers keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed once available, and updated on a regular basis to protect against attackers establishing a foothold within a network.

FortiGuard Labs is continuously looking for published proof of concept code related to this event. We will update this Threat Update blog and the FortiGuard Labs Threat Signal with further updates as they become available.

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio.  

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet NSE Training programSecurity Academy program, and Veterans program.