Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
CVE-2021-22986 has been identified as a vulnerability in the BIG-IP (F5) iControl REST interface that allows an unauthenticated attacker (with anonymous user rights) to execute remote commands. This vulnerability comes before us as a critical vulnerability with a CVSS 9.8 rating. F5 is also one of the most widely used WAF solutions across the world.
We are publishing a detection tool for the Unauthenticated Remote Code Execution vulnerability, which has come before us as one of the most significant vulnerabilities to date. The critical-level CVE-2021-22986 vulnerability is found in the iControl REST service in F5’s BIG-IP and BIG-IQ products and allows an unauthorised attacker to execute code with high privileges and authority on the operating system. NCC Group, in its statement, indicated that the vulnerability code was produced using reverse engineering of the updates.
Using our tool, you can try it out straight away and check whether your system is vulnerable.
This vulnerability allows unauthenticated attackers with network access to the iControl REST interface via the BIG-IP management interface and self IP addresses to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane. However, it cannot be exploited through the data plane. Exploitation may result in complete compromise of the system. At this point the BIG-IP system in appliance mode is also vulnerable.
Note: If you believe your system is at risk, you may consult K11438344: Considerations and guidance when you suspect a security issue on a BIG-IP system. As Privia Security, we provide 24/7 support for all kinds of cyber security consultancy needs. You can find detailed information about our services at [email protected].
To determine whether your version is affected by the vulnerability and whether there are any components or features affected by this vulnerability, you can use the F5 BIG IP Scanning and Detection Tool that we have prepared specifically for organisations. This tool does not keep any information such as IP address or user-agent on record.
When the vulnerability is examined more deeply, it is seen that an attacker who can reach the “/mgmt/tm/util/bash” endpoint of the iControl REST service can execute any code they wish on the system. Using the vulnerability test tool we have prepared for you, you can check whether your system is vulnerable. Our tool accesses the “/mgmt/tm/util/bash” endpoint of your system and attempts to execute the “id” and “uname -a” commands in turn, and makes sure whether your system is vulnerable. The vulnerable versions and the versions in which the vulnerability has been closed are shown in the table above. Even so, we recommend that you upgrade to the latest available version.
Author: Berat Özbay
You May Be Interested In These
