F5 Releases Patches

Author: Melodie Foster

Date: 11th March 2021

F5 Releases Patches for Unauthenticated Remote Code Execution Vulnerability and Other Critical Flaws.

The most severe vulnerability could allow for an unauthenticated attacker to completely compromise systems. Patches for other, unrelated flaws were also released.

The two worst flaws have been given a CVSS score of 9.8 and 9.9 out of 10. One of which allows for an unauthenticated attacker that has network access to the iControl REST interface and be able to create and delete files, disable service and execute arbitrary system commands. F5 has said, “this vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise.”

The other flaw would also allow arbitrary commands to be executed but it requires the attacker to be authenticated and able to access BIG-IP’s Traffic Management User Interface. This vulnerability could also lead to a complete system compromise.

Two other critical buffer overflow bugs have also been patched that were both given a CVSS score of 9.0.

The vulnerabilities affect all BIG-IP and BIG-IQ customers and instances and customers are therefore being urged to update their BIG-IP and BIG-IQ deployments as soon as possible.

Currently, updates do not exist across all software branches. The vulnerabilities have been patched in the following software: BIG-IP versions 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3. BIG-IQ versions 8.0.0, 7.1.0.3, and 7.0.0.2 [1].

[1] https://www.zdnet.com/article/f5-issues-big-ip-patches-to-tackle-unauthenticated-remote-code-execution-critical-flaws/

Other resources

Cyberfort Colocation Services

Cyberfort has invested heavily in secure infrastructure, making us the perfect colocation service provider to host your mission-critical, sensitive and regulated data.
Find out more >

What can Cyberfort do for you?

Check out our factsheets for detailed information on the matrix of cybersecurity products and services we offer to protect your business.
Find out more >

Cyberfort Deep Dives

Cyberfort’s cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >

Cookie Name	Expiration Time	Description
_ga	2 years	Used to distinguish users.
_gid	24 hours	Used to distinguish users.
_gat	1 minute	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>.

_gac_<property-id>	90 days	Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out.
__hstc	13 months	The main cookie for tracking visitors.
hubspotutk	13 months	This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
__hssc	30 minutes	This cookie keeps track of sessions.
__hssrc	End of session	Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser.

Author: Melodie Foster

Date: 11th March 2021