3 vulnerabilities in F5 BIG-IP firewall allow easily deploying DoS attacks

Specialists in malware reverse engineering report the discovery of three serious vulnerabilities in multiple BIG-IP family products, created by the firm specializing in application services and application delivery networks F5 Networks. According to the reports, the successful exploitation of these flaws would allow multiple errors to be generated in the affected systems.

Below are brief descriptions of reported flaws, in addition to their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2020-5926: A leak in virtual server memory when using the ALG SIP profile would allow remote threat actors to send specially designed SIP messages with a multipart MIME payload, triggering a denial of service (DoS) condition. The flaw received a score of 6.5/10, so experts in malware reverse engineering consider it to be a low risk.

CVE-2020-5925: This flaw exists due to insufficient validation of user-provided inputs in User Datagram Protocol (UDP), which could be exploited by remote threat actors to pass a specially designed entry to the application, generating a DoS condition.

The vulnerability received a score of 5.2/10, as the report mentions.

These two flaws reside in the following products and versions:

• BIG-IP: 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 13.1.0, 13.1.1, 13.1.3, 14.1.0, 14.1.1, 14.1.2, 15.0.0, 15.0.1, 15.1.0
• BIG-IP LTM: 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 13.1.0, 13.1.1, 13.1.3, 14.1.0, 14.1.1, 14.1.2, 15.0.0, 15.0.1, 15.1.0
• BIG-IP AAM: 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 13.1.0, 13.1.1, 13.1.3, 14.1.0, 14.1.1, 14.1.2, 15.0.0, 15.0.1, 15.1.0
• BIG-IP AFM: 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 13.1.0, 13.1.1, 13.1.3, 14.1.0, 14.1.1, 14.1.2, 15.0.0, 15.0.1, 15.1.0
• BIG-IP Analytics: 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 13.1.0, 13.1.1, 13.1.3, 14.1.0, 14.1.1, 14.1.2, 15.0.0, 15.0.1, 15.1.0
• BIG-IP APM: 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 13.1.0, 13.1.1, 13.1.3, 14.1.0, 14.1.1, 14.1.2, 15.0.0, 15.0.1, 15.1.0
• BIG-IP ASM: 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 13.1.0, 13.1.1, 13.1.3, 14.1.0, 14.1.1, 14.1.2, 15.0.0, 15.0.1, 15.1.0
• BIG-IP DNS: 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 13.1.0, 13.1.1, 13.1.3, 14.1.0, 14.1.1, 14.1.2, 15.0.0, 15.0.1, 15.1.0
• BIG-IP FPS: 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 13.1.0, 13.1.1, 13.1.3, 14.1.0, 14.1.1, 14.1.2, 15.0.0, 15.0.1, 15.1.0
• BIG-IP GTM: 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 13.1.0, 13.1.1, 13.1.3, 14.1.0, 14.1.1, 14.1.2, 15.0.0, 15.0.1, 15.1.0
• BIG-IP Link Controller: 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 13.1.0, 13.1.1, 13.1.3, 14.1.0, 14.1.1, 14.1.2, 15.0.0, 15.0.1, 15.1.0
• BIG-IP PEM: 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 13.1.0, 13.1.1, 13.1.3, 14.1.0, 14.1.1, 14.1.2, 15.0.0, 15.0.1, 15.1.0

CVE-2020-5919: The third of the reported flaws resides in BIG-IP Access Policy Manager (APM) and exists due to insufficient validation on user inputs in the access profile. According to experts in malware reverse engineering, remotely authenticated threat actors can pass specially designed entries and deploy DoS attacks against the vulnerable system.

This flaw received a CVSS score of 5.5/10. The vulnerability resides in the following version of the affected software:

• BIG-IP APM: 15.1.0

Although the flaws can be exploited remotely, researchers have not yet detected attempts at active exploitation or any malware variant related to the attack. Updates are now available, so users of affected deployments are encouraged to verify their correct installation.