Threat Signal Report

F5 Releases August 2021 Security Advisory Including Critical CVE-2021-23031

Description

FortiGuard Labs is aware that F5 released a security advisory on August 24th about vulnerabilities affecting multiple versions of BIG-IP and BIG-IQ. The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory the next day urging the customers to apply the fixes or put necessary mitigations in place.


Of the 13 vulnerabilities that are rated high by the vendor, CVE-2021-23031 is given the highest CVSS score of 8.8 out of 10 and affects BIG-IP Advanced WAF and Application Security Manager (ASM). When abused, the vulnerability allows "an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services," which may result in the attack gaining complete control of the system. However, the CVSS score and rating jumps to 9.9 and Critical, respectively, when the products are running in Appliance mode. As Appliance mode is described as " designed to meet the needs of customers in especially sensitive sectors", CVE-2021-23031 requires additional attention and care.


When Did the Vendor Post the Advisory?

The vendor released the advisory on August 24th, 2021.


What is the Breakdown of the Advisory?

The advisory has 13 high vulnerabilities, 15 medium vulnerabilities, 1 low vulnerability and 6 security exposures affecting multiple versions of BIG-IP and BIG-IQ. However, high rating for CVE-2021-23031 is elevated to critical when the affected products are running in Appliance mode.


For more details, see the Appendix for a link to "K50974556: Overview of F5 vulnerabilities (August 2021)"


What is the Result of Successful Exploitation of CVE-2021-23031?

Successful exploitation allows "an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services." In the worst case scenario, the vulnerability enables the attack to take complete control of the system.


What are the Technical Details of CVE-2021-23031?

The advisory does not offer much technical details, nor why there are two separate ratings for the vulnerability other than the 9.9 rating applies to "the limited number of customers using Appliance mode."


For more details, see the Appendix for a link to "K41351250: BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2021-23031"


What is Appliance Mode?

The following is provided by F5 in regard with Appliance mode:


BIG-IP systems have the option of running in Appliance mode. Appliance mode is designed to meet the needs of customers in especially sensitive sectors by limiting the BIG-IP system administrative access to match that of a typical network appliance and not a multi-user UNIX device.


For more details, see the Appendix for a link to "K12815: Overview of Appliance mode".


How Does That Affect Overall Severity of CVE-2021-23031?

Combining the facts that the vulnerability allows an authenticated attacker to take complete control of the system, the CVSS score is 9.9 when the affected products are running in Appliance mode. Since Appliance mode is designed especially for sensitive sectors, the actual severity could be even higher.


What Products Are Vulnerable to CVE-2021-23031?

BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) are vulnerable to CVE-2021-23031.


Which Versions of WAF and ASM Are Vulnerable to CVE-2021-23031?

The following versions are listed as vulnerable per F5:


  • 16.0.0 - 16.0.1
  • 15.1.0 - 15.1.2
  • 14.1.0 - 14.1.4
  • 13.1.0 - 13.1.3
  • 12.1.0 - 12.1.5
  • 11.6.1 - 11.6.5

Is the Vulnerability Exploited in the Wild?

At the time of this writing, FortiGuard Labs is not aware of the vulnerability being exploited in the wild.


FortiGuard Labs will continue to monitor the situation and provide updates as they become available.


Is There Any Mitigation for CVE-2021-23031?

According to the advisory, "the only mitigation is to remove access (to the Configuration utility) for users who are not completely trusted".


Has the Vendor Released Patches for the Vulnerabilities in their August 2021 Advisory?

Yes, the vendor has released patches for all vulnerabilities listed in the advisory, including CVE-2021-23031.


What is the Status of Coverage?

As this time of writing, there is not sufficient information and Proof-of-Concept code available for FortiGuard Labs to create protections.


FortiGuard Labs will continue to monitor the situation and provide updates as they become available.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.