F5 BIG-IP Flaw Let Hackers Execute Arbitrary System Commands

https://gbhackers.com/f5-big-ip-flaw/

This tool setting is created to please the demands of customers in, especially delicate industries by restricting the BIG-IP system management accessibility to match that of a common network residence device as well as not a multi-user UNIX gadget.

According to the safety advisory, when this susceptability is made use of, a verified assailant with accessibility to the Configuration energy can do approximate system regulates, produce or erase data, and/or disable solutions.

” The marginal variety of clients utilizing Appliance setting have actually Scope: Changed, which elevates the CVSSv3 ranking to 9.9″, checks out the safety and security advisory.

This flaw may cause full system concession. BIG-IP systems have the selection of running in Appliance setting.

The issue has a strength rating of 8.8, however, the safety advising states, for customers utilizing the Appliance Mode, makes use of some technological constraints, the severity ranking increases to 9.9 out of 10.

BIG-IP Flaw

Simply a limited number of customers are influenced by the concern in a crucial setting.

F5 Networks have really taken care of essential susceptabilities in its BIG-IP networking tool. The susceptability tracked as CVE-2021-23031 is a possibility rise issue on BIG-IP Advanced Web Application Firewall Software (WAF) and also Application Security Manager (ASM) Traffic Management Interface (TMUI).

Product
Branch

Variations recognized to be vulnerable1

Fixings presented in
Severity

CVSSv3 score2

At risk component or feature

High– Critical– Appliance setting only3.

BIG-IP (Advanced WAF and also ASM).
16.x.
16.0.0– 16.0.1.
16.1.016.0.1.2.

8.8– 9.93.

TMUI/Configuration power.

15.x.
15.1.0– 15.1.2.
15.1.3.

14.x.
14.1.0– 14.1.4.
14.1.4.1.

13.x.
13.1.0– 13.1.3.
13.1.4.

12.x.
12.1.0– 12.1.5.
12.1.6.

11.x.
11.6.1– 11.6.5.
11.6.5.3.

BIG-IP (all various other components).
16.x.
None.
Not suitable.
Not at risk.
None.
None.

15.x.
None.
Not appropriate.

14.x.
None.
Not pertinent.

13.x.
None.
Not ideal.

12.x.
None.
Not appropriate.

11.x.
None.
Not appropriate.

None.
None.

BIG-IQ Centralized Management.
8.x.
None.
Not ideal.
Not vulnerable4.

7.x.
None.
Not appropriate.

6.x.
None.
Not appropriate.

F5 dealt with 30 high-severity susceptabilities in countless items, that consist of validated remote command implementation flaws, cross-site scripting (XSS) troubles, need imitation troubles, poor approval, as well as denial-of-service issues.

Since this strike is carried out by reputable and also confirmed individuals, f5 states that the only reduction is to eliminate gain accessibility to for customers that are not totally counted on.

Block Configuration power accessibility via self IP addresses.
Block Configuration energy gain access to with the administration user interface These reductions restrict accessibility to the Configuration power to simply relied on networks or devices, as a result restricting the assault surface.

Listing of Issues Addressed by F5.

Reduction.

Traffix SDC.
5.x.
None.
Not pertinent.
Not susceptible.
None.
None.

F5 discusses that individuals can remove this susceptability by setting up a variation kept in mind in the Fixes column.

F5OS.
1.x.
None.
Not pertinent.
Not prone.
None.
None.