F5 Big IP Critical Vulnerabilities Reported

2021
f5 Big IP Security Risk HALOCK Reasonable Security Cyber Breaches Bulletin F5 Big IP Critical Vulnerabilities Reported

F5 Big IP Critical Vulnerabilities Reported

DESCRIPTION

A new set of critical vulnerabilities have been identified for F5 Big-IP customers. If you are running F5 Big-IP version 12.1.5.2 through 16.0.1.0 you are vulnerable to the reported critical vulnerabilities.

These vulnerabilities were published by F5 on March 10th, 2021 with update information on March 31st, 2021.

The vulnerabilities identified allow for the bypass of authentication at the F5 – Big IP application and allows the potential for remote code execution and denial of service attacks.

IDENTIFY INDICATORS OF COMPROMISE (IOC)

  1. All unpatched F5 systems for the identified versions are vulnerable to the exploits. This does not mean you were impacted.

  2. Indicators of compromise (IOC) can vary, there are no specific IOCs related to this vulnerability as of the creation of this bulletin. Therefore, it is necessary to perform a broader IOC check.
    The checks to perform have been published by F5 within this article.

CONTAINMENT (If IOCs are identified)

  1. Disable all inbound access to the F5 BIG-IP application. Consider routing web traffic directly to the web applications fronted by Big-IP to ensure applications remain accessible during patching.

  2. (Required) Patch the Big-IP solution.

REMEDIATION (If IOCs are identified)

  1. (Required) Reset all credentials used by or stored by Big-IP, including domain, local, and service accounts. Such credentials may be compromised.

  2. (Required) Rebuild the Big-IP system. Keep a copy of the compromised Big-IP image in case forensic analysis is desired. HALOCK recommends performing a forensic analysis if IOCs are present.

    1. Performing a clean install of BIG-IP https://support.f5.com/csp/article/K13117

    2. Backing up and restoring BIG-IP configuration files with UCS archive https://support.f5.com/csp/article/K13132

  3. Consider deploying the patched Big-IP solution behind a Web Application Firewall (WAF). It is likely that a WAF would have protected against the identified web attacks and would have protected against the reported critical vulnerabilities quickly after vulnerability publication.

If you would like to speak with HALOCK concerning this zero-day vulnerability, need assistance with analysis, or would like to further protect you web applications, please reach out to your HALOCK account manager or chat with us online at www.halock.com to schedule a call with one of our security experts.

Consult with HALOCK concerning this zero-day vulnerability.

Contact Us


References

  1. https://threatpost.com/critical-f5-big-ip-flaw-now-under-active-attack/164940/  
  2. https://threatpost.com/f5-cisa-critical-rce-bugs/164679/  
  3. https://www.f5.com/services/support/March2021_Vulnerabilities
  4. https://www.f5.com/pdf/deployment-guides/bigip-update-upgrade-guide.pdf
  5. https://support.f5.com/csp/article/K02566623
  6. https://support.f5.com/csp/article/K02566623