Number: AL21-004 UPDATE 1
Date: 19 March 2021
AUDIENCE
This Alert is intended for IT professionals and managers of notified organizations.
PURPOSE
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
OVERVIEW
On 10 March 2021, F5 publicly disclosed details of critical vulnerabilities affecting BIG-IP, BIG-IP Advanced WAF/ASM, and BIG-IQ products. Neither F5 nor the Cyber Centre are aware of active exploitation of these vulnerabilities; however, due to their criticality it is advised to apply the necessary patches or mitigations immediately.
UPDATE: As of 19 March 2021, the Cyber Centre has become aware of scanning and exploitation attempts against the iControl REST interface of F5 BIG-IP products within Canada. Successful exploitation could result in information disclosure or remote code execution which could lead to a full system compromise .
DETAILS
On 10 March 2021, F5 published Security Advisory K02566623, which disclosed several vulnerabilities in BIG-IP (all modules), BIG-IP Advanced WAF/ASM, and BIG-IQ. [1] Four of the disclosed vulnerabilities are of critical severity. Of note are CVE-2021-22986 and CVE-2021-22987 (CVSS 9.8 and CVSS 9.9, respectively) which are vulnerabilities in the control plane for both the iControl REST interface and Traffic Management User Interface (TMUI).
CVE-2021-22986 allows unauthenticated actors with network access to the iControl REST interface to execute arbitrary system commands, create or delete files, and disable services. The BIG-IP system in appliance mode is also vulnerable.
When running in appliance mode, CVE-2021-22987 allows authenticated users with network access to the Traffic Management User Interface (TMUI)/Configuration utility to execute arbitrary system commands, create or delete files, or disable services. Exploitation can lead to breakout of Appliance mode.
Both vulnerabilities can only be exploited through the control plane, and exploitation of these vulnerabilities could lead to complete system compromise.
The two remaining critical vulnerabilities, CVE-2021-22991 and CVE-2021-22992, disclosed by F5 are buffer overflows affecting BIG-IP and BIG-IP (Advanced WAF and ASM). These vulnerabilities can only be exploited through the data plane. Exploitation of these vulnerabilities could lead to denial of service or, in theory, remote code execution.
F5 recommends patching all systems running versions identified as vulnerable, including those deployed in virtual environments.
SUGGESTED ACTIONS
The Cyber Centre recommends organizations review all impacted F5 appliances and virtual deployments and patch to one of the below recommended versions. [1]
BIG-IP:
- Versions 16.0.0 to 16.0.1 should be upgraded to 16.0.1.1
- Versions 15.1.0 to 15.1.2 should be upgraded to 15.1.2.1
- Versions 14.1.0 to 14.1.3.1 should be upgraded to 14.1.4
- Versions 13.1.0 to 13.1.3.5 should be upgraded to 13.1.3.6
- Versions 12.1.0 to 12.1.5.2 should be upgraded to 12.1.5.3
- Versions 11.6.1 to 11.6.5.2 should be upgraded to 11.6.5.3
BIG-IQ:
- Version 8.0.0 is unaffected
- Versions 7.1.0 to 7.1.0.2 should be upgraded to 8.0.0
- Versions 7.0.0 to 7.0.0.1 should be upgraded to 7.1.0.3
- Versions 6.0.0 to 6.1.0 should be upgraded to 7.0.0.2
F5 indicates that if a fixed version has not been identified for a branch used by an organization then no update is available. F5 recommends that organizations upgrade to a version with an available patch. Organizations may use the F5 platform matrix to determine compatible software versions for their F5 platform. [1]
While the Cyber Centre strongly encourages patching as soon as possible, administrators should consider applying the mitigations described in the F5 KB articles if patching is not immediately possible. See the [4] and [5] for more details. In summary:
- Block iControl REST access through the self IP address.
- Block iControl REST access through the management interface.
- Block Configuration utility access through self IP addresses.
- Block Configuration utility access through the management interface.
Patching as described in this section also fixes the buffer overflow vulnerabilities described in the previous section. There are no mitigations against CVE-2021-22991 other than patching, while for CVE-2021-22992 F5 has provided an iRule mitigation. [9] In all cases, the Cyber Centre and F5 recommend patching as the primary mitigation.
INDICATORS OF COMPROMISE
UPDATE: On 18 March security researchers, NCCGroup, released a report [10] which identified network activity associated with attempted exploitation of CVE-2021-22986. NCCGroup has further published indicators of compromise to aid in the detection of related malicious activity.
UPDATE: Where recommended patches have not been applied, the Cyber Center recommends reviewing relevant iControl REST logs for activity that may be suspicious. The Cyber Center is aware of open-source signatures [11][12] that administrators may find useful in detecting malicious network activity related to CVE-2021-22986.
Note: The Cyber Center is providing reference to these signatures for situational awareness only and makes no claims regarding their effectiveness. As these communication channels may be encrypted the Cyber Centre encourages a thorough analysis of filesystem, logs and network traffic for any potentially vulnerable systems.
Should activity matching the content of this Alert be discovered, recipients are encouraged to contact the Cyber Centre by email (contact@cyber.gc.ca) or by telephone (1-833-CYBER-88 or 1-833-292-3788).
REFERENCES
[1] K02566623: Overview of F5 critical vulnerabilities (March 2021)
https://support.f5.com/csp/article/K02566623
[2] K9502: BIG-IP hotfix and point release matrix
https://support.f5.com/csp/article/K9502
[3] K15113: BIG-IQ hotfix and point release matrix
https://support.f5.com/csp/article/K15113
[4] K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
https://support.f5.com/csp/article/K13123
[5] K15106: Managing BIG-IQ product hotfixes
https://support.f5.com/csp/article/K15106
[6] K18132488: Appliance mode TMUI authenticated remote command execution vulnerability CVE-2021-22987
https://support.f5.com/csp/article/K18132488
[7] K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
https://support.f5.com/csp/article/K03009991
[8] K56715231: TMM buffer-overflow vulnerability CVE-2021-22991
https://support.f5.com/csp/article/K56715231
[9] K52510511: Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992
https://support.f5.com/csp/article/K52510511
[10] NCC Group RIFT detection capabilities for CVE-2021-22986
https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/
[11] NCC Group CVE-2021-22896 Suricata signatures
https://github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2021_03_cve_2021_22986.txt
[12] Proofpoint Emerging Threats Suricata rules
https://rules.emergingthreats.net/open/suricata-5.0/emerging-all.rules
NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure , Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.