External risk intelligence

F5 BIG-IP and BIG-IQ Remote Command Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2021-22986

F5 BIG-IP and BIG-IQ products have a remote command execution vulnerability in the iControl REST interface. This could allow attackers to execute commands, impacting system integrity and data security. The business risk is high due to the potential for unauthorized access and control.

5Halo Surface Signal

Server-Side Request Forgery

F5 Big Ip Access Policy Manager

12.1.0 to before 12.1.5.313.1.0 to before 13.1.3.614.1.0 to before 14.1.415.1.0 to before 15.1.2.116.0.0 to before 16.0.1.1

External exposure likelihood

Halo Surface Signal score for CVE-2021-22986

The vulnerability affects the iControl REST interface in F5 BIG-IP and BIG-IQ products. These appliances are designed as network edge gateways, load balancers, and management portals that are commonly deployed in public-facing configurations to facilitate traffic management, making the management interface and related services frequent targets for internet-based exposure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

F5's BIG-IP and BIG-IQ Centralized Management products contain a critical vulnerability within the iControl REST interface. This flaw allows unauthenticated attackers to execute commands remotely, modify files, and disable services. The exploitation of this vulnerability can lead to significant business disruption and compromise of sensitive data.

  • Vulnerable F5 iControl REST interface
  • Unauthenticated remote command execution
  • Widespread system compromise

Attack Path

How an attacker could exploit the issue

The iControl REST interface on BIG-IP and BIG-IQ products contains a vulnerability that allows for remote command execution. This vulnerability is accessible without authentication. An attacker can leverage this to execute system commands, modify files, or disable services.

  • Network exposure required.
  • Unauthenticated attacker access.
  • Trigger command execution.
  • Impact: control or data compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk to organizations utilizing the affected F5 BIG-IP and BIG-IQ systems. Attackers with a moderate skill level could exploit this flaw remotely without needing any prior authentication or access to the targeted systems. Successful exploitation allows for the execution of arbitrary commands, leading to potential data compromise, system disruption, and unauthorized modifications. The widespread use of these F5 products in critical infrastructure and enterprise environments elevates the urgency for remediation.

  • Attackers with moderate skills.
  • No authentication or network access needed.
  • High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The iControl REST interface in F5 BIG-IP and BIG-IQ products has an unauthenticated remote command execution vulnerability. This vulnerability could allow attackers to execute system commands, modify or delete files, and disable services. Organizations using affected versions should take immediate action to identify and mitigate this risk.

  • Find assets with vulnerable iControl REST.
  • Restrict iControl REST access.
  • Apply vendor fixes and verify.
  • Monitor for related activity.

Frequently asked questions

What are F5 BIG-IP and BIG-IQ Centralized Management systems?

F5 BIG-IP and BIG-IQ are systems designed for application delivery and centralized management. They help ensure applications are available, perform efficiently, and are secure. These systems are crucial for directing user traffic to appropriate servers and enforcing security policies.

What weakness does CVE-2021-22986 describe?

CVE-2021-22986 describes an unauthenticated remote command execution vulnerability. The weakness is classified as CWE-918, indicating Server-Side Request Forgery, allowing attackers to trick the software into making unintended requests.

How can CVE-2021-22986 be exploited?

Attackers can exploit this by sending a specially crafted request to the iControl REST interface. This can allow them to execute system commands, modify files, or disable services on affected F5 devices.

Why is CVE-2021-22986 a significant concern?

This vulnerability is critical because it allows unauthenticated remote attackers to gain control of F5 BIG-IP and BIG-IQ devices. Its presence on internet-facing systems makes it a prime target for malicious actors.

What is the recommended action for CVE-2021-22986?

The primary recommendation is to apply the security patches released by F5 Networks as soon as possible. If immediate patching isn't feasible, temporary mitigations include restricting access to the iControl REST interface.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified