F5 Big IP Critical Vulnerabilities Reported

DESCRIPTION

A new set of critical vulnerabilities have been identified for F5 Big-IP customers. If you are running F5 Big-IP version 12.1.5.2 through 16.0.1.0 you are vulnerable to the reported critical vulnerabilities. 

These vulnerabilities were published by F5 on March 10th, 2021 with update information on March 31st, 2021. 

The vulnerabilities identified allow for the bypass of authentication at the F5 – Big IP application and allows the potential for remote code execution and denial of service (DOS) attacks.

IDENTIFY INDICATORS OF COMPROMISE (IOC)
  • All unpatched F5 systems for the identified versions are vulnerable to the exploits. This does not mean you were impacted.
  • Indicators of compromise (IOC) can vary, there are no specific IOCs related to this vulnerability as of the creation of this bulletin. Therefore, it is necessary to perform a broader IOC check.
    The checks to perform have been published by F5 within this article.
CONTAINMENT (If IOCs are identified)
  • Disable all inbound access to the F5 BIG-IP application. Consider routing web traffic directly to the web applications fronted by Big-IP to ensure applications remain accessible during patching.
REMEDIATION (If IOCs are identified)
  • (Required) Reset all credentials used by or stored by Big-IP, including domain, local, and service accounts. Such credentials may be compromised.
  • (Required) Rebuild the Big-IP system. Keep a copy of the compromised Big-IP image in case forensic analysis is desired. HALOCK recommends performing a forensic analysis if IOCs are present.
      • Consider deploying the patched Big-IP solution behind a Web Application Firewall (WAF). It is likely that a WAF would have protected against the identified web attacks and would have protected against the reported critical vulnerabilities quickly after vulnerability publication.

 

If you would like to speak with HALOCK concerning this zero-day vulnerability, need assistance with analysis, or would like to further protect you web applications, please reach out to your HALOCK account manager or schedule a call with one of our security experts.

 

References

  1. https://threatpost.com/critical-f5-big-ip-flaw-now-under-active-attack/164940/
  2. https://threatpost.com/f5-cisa-critical-rce-bugs/164679/
  3. https://www.f5.com/services/support/March2021_Vulnerabilities
  4. https://www.f5.com/pdf/deployment-guides/bigip-update-upgrade-guide.pdf
  5. https://support.f5.com/csp/article/K02566623
  6. https://support.f5.com/csp/article/K02566623