Risk Rating: CRITICAL

Affected Products: F5 Big-Ip

Affected Version:16.1.0-16.1.2/ 15.1.0-15.1.5 / 14.1.0-14.1.4 / 13.1.0-13.1.4 /12.1.0-12.1.6 / 11.6.1-11.6.5

Patched Version: 17.0.0 / 16.1.2.2 / 15.1.5.1 / 14.1.4.6 / 13.1.5

Proof-of-Concepts available: yes

Vendor: F5

Date: 04/05/2022

Introduction:

F5 Big-Ip load-balancers can be abused to obtain Remote Command Execution (RCE). These devices have an administrative interface (iControl REST API), whose authentication mechanism can be bypassed. An attacker with network access could therefore craft HTTP queries that would reach the iControl REST interface and enable full RCE. This vulnerability was assigned a CVSS score of 9.8, which makes it a CRITICAL risk. Proof of Concepts that make weaponization of this vulnerability easier, is available online. F5 has created a simple script used by customers to identify if their devices are vulnerable.

Impact:

An unauthenticated attacker can run arbitrary commands on vulnerable F5 load-balancers. This can allow attackers to modify the devices’ configuration and could potentially allow them to pivot onto the internal infrastructure.

Remediation(s):

Apply the latest security patch from the vendor. If patching is not possible, iControl REST access through self-IP or through the management interface should be blocked.

Links & Resources:

• F5 official notification — https://support.f5.com/csp/article/K55879220