[ SB 21.08 ] Big-IP Loadbalancer RCE and DoS with POC released (CVE-2021-22986)

F5 released multiple advisories with critical vulns in it's Big-IP-Appliances both in ControlPlane (TMUI) and DataPlane, CVSS 9.8/9.9 beeing the most severe Scores.

  • K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 The iControl REST interface has an unauthenticated remote command execution vulnerability. CVSS score: 9.8 (Critical)

  • K18132488: Appliance Mode TMUI authenticated remote command execution vulnerability CVE-2021-22987 When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. CVSS score: 9.9 (Critical)

  • K70031188: TMUI authenticated remote command execution vulnerability CVE-2021-22988 TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. CVSS score: 8.8 (High)

A simple PoC had been released for one of the Dataplane-Bugs, allowing a simple DoS against a Big-IP-Appliance.

poc

Patches available.

References





Fragen? Kontakt: info@zero.bs