The F5 Vulnerability Buzz
In an advisory released on 10th March 2021, F5 responsibly made its customers aware of the critical remote command execution flaws in its BIG-IP & BIG-IQ platforms. In a typical fashion, F5 Networks has shown incredible transparency and urgency to protect its customers from potential vulnerabilities. F5 Networks continues to show why it is a global leader with continuous updates and rapid responses to such incidents.
It has been concluded that the flaws can allow attackers to take full control over the vulnerable system. In total, there are 21 CVEs, out of which several have been rated as ‘high-risk vulnerability’.
With the perspicacious personnel painstakingly taking care of the issues, F5 advised all to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible. They have fixed the critical vulnerabilities in the BIG-IP versions 188.8.131.52, 184.108.40.206, 14.1.4, 220.127.116.11, 18.104.22.168, and 22.214.171.124. CVE-2021-22986 is also fixed in BIG-IQ 8.0.0, 126.96.36.199, and 7.0.02.
The networking infrastructure and the related components work on codes, developed by humans. For the potentialities of inadvertent errors, those codes cannot be guaranteed to be perfect. But what defines perfection is the ideology to embrace faults and rectify them in a way ensuring lesser loss and greater benefit for all.
Such a sagacious advisory and upgradation of tools have ensured the security of organizations, and this is the reason why F5 is relied on by the largest Fortune 500 companies including tech giants like Microsoft, Oracle, Facebook, and many others.
What went Wrong?
On the basis of the CVVS (Common Vulnerability Scoring System) score, the Common Vulnerabilities and Exposures (CVEs) have been divided into three categories:
- Critical CVEs- CVVS Score more than 9 on scale of 10
- High CVEs- CVVS Score range 7.5-9
- Medium CVEs- CVVS Score range 4-7.5
Automate and Orchestrate F5 BIG-IP Platform with AppViewX
Let’s dive into the details of the Critical Vulnerabilities announced by F5:
1. With the highest CVVS score of 9.9, CVE-2021-22987 has been rated as the most critical vulnerability. The related security advisory is when running in appliance mode, the configuration utility (TMUI) has authenticated remote command execution vulnerability in undisclosed pages.
This allows authenticated users with network access to the Traffic Management User Interface, through self IP addresses or via BIG-IP management port to execute system commands, disable services, create or delete files. It can only be exploited through the control pane and such exploitation can cause breakout of appliance mode and complete system compromise.
Note: For systems not running in appliance mode should refer to theCVE-2021-22988
2. Next comes CVE-2021-22986with the CVVS score of 9.8. This vulnerability allows unauthenticated intruders with network access to the iControl REST interface, through the BIG-IP managementinterface and self IP addresses. This way system commands can be executed services can be disabled and different files can be created or deleted.
These two critical vulnerabilities mentioned above got the attention of The U.S. Cybersecurity and Infrastructure Agency (CISA), which especially urged all companies, using BIG-IP & BIG-IQ, to fix them by updating the application, ASAP.
3. Third is TMM buffer-overflow vulnerability CVE-2021-22991, with the CVVS score of 9.0. Because of this glitch, undisclosed requests to the virtual server might not be handled correctly by the Traffic Management Microkernel (TMM) URI normalization. This is prone to trigger a buffer-overflow, leading to DoS attack. In some situations it may allow bypass of URL-based access control or remote code execution.
4. CVE-2021-22992, termed as the ‘Advanced WAF/ASM buffer-overflow vulnerability’ has the 9.0 CVVS score. A malicious HTTP response to an Advanced WAF/ASM virtual server with policy configured Login Page might trigger the buffer overflow, ensuing potentialities of a DoS attack. In some situations, it may allow remote code execution (RCE), which can threaten the security of the whole system.
What are the Challenges?
Though the vulnerabilities have been resolved in the updated versions that have been released, the upgrade path is not a ‘bed of roses’ for the organizations. Due to the complexity and rich feature set of BIG-IP appliances, upgrading from an unstable version to the new one poses a set of its own challenges.
Critical Challenges are:
- Inefficient Manual Upgrade Methods: Multiple ADCs are spread across different units of IT infrastructure. The task of manually upgrading all the consoles is not only cumbersome but also time-consuming and highly error-prone. It is only after the migration that a missed dependency is identified, causing potential damage both financial, and in reputation.
- Multiple UCS Backup: Generating backups can be just as challenging as processing a critical service request. Configuration backup methods usually include a combination of utilities, scripts, and manual tasks, all of which are prone to errors. Using this traditional approach, archives are unorganized and difficult to search for.
- Pre- and Post-Validation: During migration, the IP addresses of the migrated virtual servers may conflict with existing ones. If the conflicts are not resolved in time, both existing and migrated versions will not respond. Troubleshooting or fixing overwritten objects is a complex process that can often end in application downtime.
- Collaboration Issues: Developer & networking teams notoriously work in silos, which can lead to delays in service delivery. Most enterprises use ITSM tools to manage infrastructure changes and migrating to a simple virtual server with a new IP address may require multiple tickets. Upgrading the console versions manually requires an effective collaboration of both teams.
Usually, software upgrades and configuration migrations involve a lot of planning, coordination, and also their fair share of risk. Enterprises need an advanced solution that is flexible enough to address various challenges posed by upgrades and migrations.
Upgrading to Stable F5 version, Made Easy via AppViewX ADC+
Upgrading F5 BIG-IP devices can be painless when armed with the right automation solution. AppViewX ADC+ offers inbuilt self-serviceable upgrade templates, which simplifies the upgrade or patch implementation process. AppViewX supports BIG-IP versions 11.5.x to 15.x as of now, so you can make sure the upgrade is quick, error-free, and seamless. It helps ADC teams to upgrade with ease, decommission the legacy systems safely, and ensure the success of your project.
F5 patch updates & version upgrades can be done in a streamlined and planned manner with automation under desired change windows with repeatable playbooks in place, all with little to no application downtime. With AppViewX ADC+, organizations can migrate configurations across different platforms ensuring an easy, error-free installation.
- Ready-to-Go Upgrade Workflows- AppViewX platform possesses an intuitive system for designing self-serviceable, event-driven, automated workflows that integrate with ITSM frameworks like SNOW, RemedY and other third-party systems. It allows users to handle the whole migration process through a single GUI-based glass pane. Even the platform offers out-of-the box automation workflows for various migration scenarios, accelerating time-to-value.
- Role-Based Access Control- Granular object-level access control enables self-servicing so that different teams can automate services quickly, easily and all on their own. With this granular access, all modules are integrated with the RBAC, allowing customization of roles. It could be used by a single operator or for multiple business units, depending on their functionalities and roles.
- Easy Automated Backups- AppViewX platform provides an easy way to manage backups on an on-demand or regularly scheduled basis, saving users time and effort. By saving an inventory of device backups, it helps to store configuration data centrally, enabling quick and easy searches. During patch update or version upgrades, when a device fails or someone pushes in the wrong set of configurations, one can simply restore the last known good configuration after comparing the changes that has happened since the crash.
- Rapid Bulk-Migration- Self-serviceable automation workflows can be custom-designed to either migrate one instance at a time or multiple instances simultaneously (i.e. bulk migration). In bulk migration, a file with source and destination device details is uploadedand all necessary validation checks before and after migrations are executed by the system, ensuring rapid and efficient delivery.
With the self-serviceable, GUI-based dashboard, facilitated by theAppViewX ADC+ platform, the time to upgrade to the next-gen of better-secured applications reduces from days to minutes. By simplifying application discovery across environments, automating backups, compliance checks (pre- and post- validation), and change management through built-in integrations with ITSM solutions – AppViewX ADC+ speeds up the error-free upgradation process and safeguards from threats.