F5 Urges Customers to Patch Critical BIG-IP Pre-auth RCE Bug

Fnord666

from SoylentNews on 2021-03-12 17:10 (#5F8V9)

upstart writes in with an IRC submission:

F5 urges customers to patch critical BIG-IP pre-auth RCE bug:

F5 Networks, a leading provider of enterprise networking gear, has announced four critical remote code execution (RCE) vulnerabilities affecting most BIG-IP and BIG-IQ software versions.
F5 BIG-IP software and hardware customers include governments, Fortune 500 firms, banks, internet service providers, and consumer brands (including Microsoft, Oracle, and Facebook), with the company claiming that "48 of the Fortune 50 rely on F5."
The four critical vulnerabilities listed below also include a pre-auth RCE security flaw (CVE-2021-22986) which allows unauthenticated remote attackers to execute arbitrary commands on compromised BIG-IP devices:
CVE-2021-22986: iControl REST unauthenticated remote command execution (9.8/10)
CVE-2021-22987: Appliance Mode TMUI authenticated remote command execution (9.9/10)
CVE-2021-22991: TMM buffer-overflow (9.0/10)
CVE-2021-22992: Advanced WAF/ASM buffer-overflow (9.0/10)
[...] Successful exploitation of critical BIG-IP RCE vulnerabilities could lead to full system compromise, including the interception of controller application traffic and lateral movement to the internal network.
[...] "We strongly encourage all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible," F5 says in a notification published earlier today.
"To fully remediate the critical vulnerabilities, all BIG-IP customers will need to update to a fixed version."

Original Submission

Source	RSS or Atom Feed
Feed Location	https://soylentnews.org/index.rss
Feed Title	SoylentNews
Feed Link	https://soylentnews.org/
Feed Copyright	Copyright 2014, SoylentNews