Last updated at Thu, 25 Mar 2021 15:24:20 GMT

Update March 25, 2021: CVE-2021-22986 is now being actively exploited in the wild by a range of malicious actors. Rapid7 has in-depth technical analysis on this vulnerability, including proof-of-concept code and information on indicators of compromise, available here.

On March 10, 2021, F5 disclosed eight vulnerabilities, four of which are deemed "critical", the most severe of which is CVE-2021-22986, an unauthenticated remote code execution weakness that enables remote attackers to execute arbitrary commands on compromised BIG-IP devices:

On March 18, 2021, NCC Group reported seeing in the wild exploitation attempts and they, along with other sources, expect that final development of a complete attack chain is imminent.

Given that a complete exploit chain will be available soon, we recommend patching F5 systems that expose the affected planes (see below) within the next 3–5 days and F5 systems that only expose affected planes internally within a 30-day patch window that hopefully started eight days ago, provided that your organization follows a typical 30-, 60-, 90-day prioritization scheme. If your organization does not have a defined patch cadence system, Rapid7 still recommends that you consider applying these internal system patches within the next 20 days.

Critical vulnerability overview

CVE-2021-22986

iControl REST unauthenticated remote command execution vulnerability (CVSSv3 9.8).

An HTTP REST API endpoint exposed on the control plane of F5 devices has an unauthenticated remote code execution vulnerability, enabling attackers to execute arbitrary code/commands on compromised devices. This impacts BIG-IP systems 7.0.0, 7.1.0, 12.x, and later, as well as any BIG-IQ (F5 BIG-IP centralized management service) version regardless of configuration.

CVE-2021-22991

Traffic Management Microkernel (TMM) buffer-overflow vulnerability (CVSSv3 9.0).

The Traffic Management Microkernel (TMM), which handles requests to virtual servers on the data plane, improperly handles certain, undisclosed uniform resource identifiers (URIs). Malicious HTTP requests may cause a buffer overflow and result in a denial-of-service attack. You are vulnerable to exploits if any of the following configurations apply to your F5 deployments:

  • BIG-IP 12.1.x or later using BIG-IP Access Policy Manager (APM) in is running in any configuration
  • Specific functions are defined in enabled iRules or LTM policies
  • The URL categorization feature is enabled and in use in either BIG-IP PEM or Secure Web Gateway

Furthermore, customers in the F5 "early access" program are also vulnerable if they are using the Advanced WAF Risk Engine.

The following commands can be run from a TMOS Shell (tmsh) and will return iRules / LTM policies that can be reviewed against example policies provided by F5 to determine whether your configurations are at risk:

tmsh -q -c "cd / ; list /ltm rule  recursive" | egrep 'ltm rule|normalize' | grep -B1 normalize # iRules recursive query
tmsh -q -c "cd / ; list /ltm policy  recursive" | egrep 'ltm policy|normalize' | grep -B1 normalize # LTM policies recursive query

CVE-2021-22987

Appliance Mode TMUI authenticated remote command execution vulnerability (CVSSv3 9.9).

If an F5 device is running in appliance mode, the Traffic Management User Interface (TMUI)/Configuration utility on the control plane has an authenticated remote code execution vulnerability in an unknown number of target URL paths, enabling attackers to execute arbitrary code/commands on compromised devices.

CVE-2021-22992

Advanced WAF/ASM buffer-overflow vulnerability (CVSSv3 9.0).

If an F5 Advanced WAF/BIG-IP ASM virtual server has a Login Page policy defined, malicious HTTP responses may cause a buffer overflow, resulting in a denial-of-service attack and possibly remote code execution. This vulnerability is exposed on the data plane.

NOTE: The data plane refers to any traffic handled by a virtual server, SNAT, NAT, or other non-control-plane-traffic handler. The control plane refers to management-related services and traffic flowing to them, such as the Configuration utility (TMUI), iControl REST, and SSH, either through the management IP address or a self IP address exposing the HTTPS or SSH ports (usually 443 or 22).

Selected expanded details

A Project Zero report on CVE-2021-22992 posted by Felix Wilhelm notes that the vulnerable condition is triggered when BIG-IP systems have rules in place that process HTTP response headers (login pages are given as an example). The web application firewall does not process overlong HTTP response headers properly, and this can lead to a stack-based overflow.

This is not a trivial weakness to set up, and in many cases requires knowledge or control of back-end applications behind F5 systems. The researcher notes three scenarios where attackers may be able to gain more granular control over HTTP response headers:

  1. HTTP header injection: If one of the backend applications that sits behind an F5 system does not properly handle carriage returns/line feeds (CR/LF) in some inbound HTTP headers that are returned in the HTTP response, an attacker can use this weakness in that application (not the F5 system itself) to cause the overflow situation in the F5 system..
  2. Request smuggling + HTTP/0.9: Some F5 configurations may still be vulnerable to various request smuggling techniques. Attackers may use an old version of the HTTP protocol (HTTP/0.9) to issue a simplified request to F5-fronted applications. These HTTP 0.9 requests will only return an HTML response without response headers. It may be possible to craft such a request to return user-controllable HTML responses that will trigger this stack-based overflow.
  3. Compromised backend: If an attacker has control over one or more F5-fronted applications, they may be able to use those systems to craft sufficiently large responses to trigger the overflow condition.

The same researcher also posted a Project Zero report on CVE-2021-22991 noting a weakness in how IPv6 hostnames are processed. An example configuration and demonstration is provided there and reproduced below.

If there is an F5 iRule such as:

when HTTP_REQUEST { 
   log local0. "normalized: [HTTP::uri -normalized]" 
   log local0. "uri: [HTTP::uri]"
}

a malicious request of the form:

echo -e "GET h://[f] HTTP/1.1\r\n\r\n" | ncat --ssl 10.154.0.3 443

will result in uninitialized memory to /var/log/ltm on the F5 host, which can lead to a direct crash Traffic Management Microkernel and, thus, a denial of service.

Exploitation is dependent on certain iRule configurations being in place, but attackers have plenty of time on their hands and an abundance of compromised hosts available to try many combinations of requests, and F5 systems are easily discoverable on the internet.

Available mitigations

Until it is possible to install fixed versions, organizations can use the following F5 references as temporary mitigations for CVE-2021-22986 and CVE-2021-22987 to restrict access to iControl REST API endpoints:

InsightVM Coverage

We currently have coverage for the following CVEs:

  • CVE-2021-22986
  • CVE-2021-22987
  • CVE-2021-22988
  • CVE-2021-22991
  • CVE-2021-22994

We are investigating coverage for the remaining three CVEs affecting F5 Advanced WAF/BIG-IP ASM:

  • CVE-2021-22989
  • CVE-2021-22990
  • CVE-2021-22992

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.