Read Time:3 Minute, 40 Second
FortiGuard Labs is aware that F5 released a security advisory on August 24th about vulnerabilities affecting multiple versions of BIG-IP and BIG-IQ. The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory the next day urging the customers to apply the fixes or put necessary mitigations in place. Of the 13 vulnerabilities that are rated high by the vendor, CVE-2021-23031 is given the highest CVSS score of 8.8 out of 10 and affects BIG-IP Advanced WAF and Application Security Manager (ASM). When abused, the vulnerability allows “an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services,” which may result in the attack gaining complete control of the system. However, the CVSS score and rating jumps to 9.9 and Critical, respectively, when the products are running in Appliance mode. As Appliance mode is described as ” designed to meet the needs of customers in especially sensitive sectors”, CVE-2021-23031 requires additional attention and care.When Did the Vendor Post the Advisory?The vendor released the advisory on August 24th, 2021.What is the Breakdown of the Advisory?The advisory has 13 high vulnerabilities, 15 medium vulnerabilities, 1 low vulnerability and 6 security exposures affecting multiple versions of BIG-IP and BIG-IQ. However, high rating for CVE-2021-23031 is elevated to critical when the affected products are running in Appliance mode.For more details, see the Appendix for a link to “K50974556: Overview of F5 vulnerabilities (August 2021)”What is the Result of Successful Exploitation of CVE-2021-23031?Successful exploitation allows “an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services.” In the worst case scenario, the vulnerability enables the attack to take complete control of the system.What are the Technical Details of CVE-2021-23031?The advisory does not offer much technical details, nor why there are two separate ratings for the vulnerability other than the 9.9 rating applies to “the limited number of customers using Appliance mode.”For more details, see the Appendix for a link to “K41351250: BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2021-23031″What is Appliance Mode?The following is provided by F5 in regard with Appliance mode:BIG-IP systems have the option of running in Appliance mode. Appliance mode is designed to meet the needs of customers in especially sensitive sectors by limiting the BIG-IP system administrative access to match that of a typical network appliance and not a multi-user UNIX device.For more details, see the Appendix for a link to “K12815: Overview of Appliance mode”.How Does That Affect Overall Severity of CVE-2021-23031?Combining the facts that the vulnerability allows an authenticated attacker to take complete control of the system, the CVSS score is 9.9 when the affected products are running in Appliance mode. Since Appliance mode is designed especially for sensitive sectors, the actual severity could be even higher.What Products Are Vulnerable to CVE-2021-23031?BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) are vulnerable to CVE-2021-23031.Which Versions of WAF and ASM Are Vulnerable to CVE-2021-23031?The following versions are listed as vulnerable per F5:16.0.0 – 16.0.115.1.0 – 15.1.214.1.0 – 14.1.413.1.0 – 13.1.312.1.0 – 12.1.511.6.1 – 11.6.5Is the Vulnerability Exploited in the Wild?At the time of this writing, FortiGuard Labs is not aware of the vulnerability being exploited in the wild.FortiGuard Labs will continue to monitor the situation and provide updates as they become available.Is There Any Mitigation for CVE-2021-23031?According to the advisory, “the only mitigation is to remove access (to the Configuration utility) for users who are not completely trusted”.Has the Vendor Released Patches for the Vulnerabilities in their August 2021 Advisory?Yes, the vendor has released patches for all vulnerabilities listed in the advisory, including CVE-2021-23031.What is the Status of Coverage?As this time of writing, there is not sufficient information and Proof-of-Concept code available for FortiGuard Labs to create protections.FortiGuard Labs will continue to monitor the situation and provide updates as they become available.