Critical Pre-Auth RCE Flaw Found in F5 Big-IP Platform — Patch ASAP! (CVE-2021-22986/87/88/89/90/91/92)

One of the leading Cyber Security company F5 Networks on Wednesday published an article that contains a warning of multiple critical vulnerabilities impacting multiple products that could result in a denial of service (DoS) (Buffer overflow) attack and even unauthenticated remote code execution on target networks.

F5 BIG-IP software and hardware customers include governments, Fortune 500 firms, banks, different internet service providers, and consumer brands (including Microsoft, Oracle, and Facebook), with the company claiming that “48 of the Fortune 50 rely on F5.”

Today, F5 published security advisories on three other RCE vulnerabilities (two high and one medium, with CVSS severity ratings between 6.6 and 8.8), allowing authenticated remote attackers to execute arbitrary system commands.

Successful exploitation of critical BIG-IP RCE vulnerabilities could lead to full system compromise, including the interception of controller application traffic and lateral movement to the internal network.

The seven vulnerabilities are fixed in the following BIG-IP versions: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3, according to F5.

CVE-2021-22986, the pre-auth RCE flaw, also affects BIG-IQ (a management solution for BIG-IP devices), and it was fixed in 8.0.0, 7.1.0.3, and 7.0.0.2.

“We strongly encourage all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible,” F5 says in a notification published earlier today.

“To fully remediate the critical vulnerabilities, all BIG-IP customers will need to update to a fixed version.”

F5 provides information on how to upgrade the software running on your BIG-IP appliances with details on multiple upgrade scenarios in this BIG-IP upgrade guide.