Security news that informs and inspires

Exploits Target F5 BIG-IP Flaw


Attackers have begun taking advantage of a critical remote unauthenticated code execution bug in F5’s BIG-IP appliances and researchers have detected at least two separate IP addresses that are using a full exploit chain for the bug.

The vulnerability (CVE-2021-22986) affects every version of the BIG-IP system, which is used in enterprises and other settings for traffic inspection and load balancing, among other tasks. F5 released a fix for the vulnerability on March 10 and warned customers that a successful exploit could lead to complete system compromise. Within a few days, security researchers had released several different proof-of-concept exploits. On Thursday, researchers at NCC Group released a detailed analysis of the exploit attempts they had seen, which at that point were not complete.

But by Friday that had changed and the researchers had seen complete full-chain exploits for the vulnerability coming from two separate IP addresses.

Exploitation of the vulnerability grants essentially unrestricted access to the target appliance.

“This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane,” the F5 advisory says.

The NCC Group researchers released detailed detection capabilities for the bug, as well as an analysis of what’s needed to exploit it.

“Exploitation of this vulnerability requires two steps. First, authentication has to be bypassed by leveraging the SSRF vulnerability to gain an authenticated session token. This authenticated session can then be used to interact with REST API endpoints, which would otherwise require authentication,” a post by Rich Warren and Sander Laarhoven says.

“The most useful endpoint for an attacker is the tm/util/bash endpoint, which allows an (authenticated) user to execute commands on the underlying server with root privileges. However, as the REST API is designed for remote administration, there are many endpoints which an attacker might wish to take advantage of.”

Organizations running BIG-IP appliances should apply the fixes as soon as possible, especially in light of the confirmed full-chain exploits in the wild.