Critical unpatched vulnerability in F5 BIG-IP and BIG-IQ Centralized Management

Cybersecurity specialists reported the discovery of a critical vulnerability in BIG-IQ Centralized Management, a solution created by F5 Networks for performing common BIG-IP management tasks, including installing hotfixes on a managed BIG-IP device. According to the report, successful exploitation of these flaws would allow threat actors to escalate privileges on affected systems.

Tracked as CVE-2021-33909, this flaw exists due to an integer overflow during size_t-to-int conversion when creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB. An un privileged malicious user could write a string of up to 10 bytes with an offset of exactly -2GB-10B below the start of a kernel buffer with vmalloc().

The vulnerability received a Common Vulnerability Scoring System (CVSS) score of 8.5/10 and its successful exploitation would allow threat actors to exploit the out-of-bounds write error for arbitrary code execution with root user privileges, compromising the affected system completely.

The vulnerability resides in the following versions of BIG-IP: 13.1.0, 13.1.0.4, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.3, 13.1.3.2, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 14.1.0, 14.1.0.2.0.45.4 Hotfix-ENG, 14.1.0.2.0.62.4 Hotfix-ENG, 14.1.0.3.0.79.6-ENG Hotfix, 14.1.0.3.0.97.6-ENG Hotfix, 14.1.0.3.0.99.6-ENG Hotfix, 14.1.0.5.0.15.5-ENG Hotfix, 14.1.0.5.0.36.5-ENG Hotfix, 14.1.0.5.0.40.5-ENG Hotfix, 14.1.0.6.0.11.9-ENG Hotfix, 14.1.0.6.0.14.9-ENG Hotfix, 14.1.0.6.0.68.9-ENG Hotfix, 14.1.0.6.0.70.9-ENG Hotfix, 14.1.1, 14.1.2, 14.1.2-0.89.37, 14.1.2.0.11.37-ENG Hotfix, 14.1.2.0.18.37-ENG Hotfix, 14.1.2.0.32.37-ENG Hotfix, 14.1.2.1, 14.1.2.1.0.14.4-ENG Hotfix, 14.1.2.1.0.16.4-ENG Hotfix, 14.1.2.1.0.34.4-ENG Hotfix, 14.1.2.1.0.46.4-ENG Hotfix, 14.1.2.1.0.83.4 Hotfix-ENG, 14.1.2.1.0.97.4-ENG Hotfix, 14.1.2.1.0.99.4-ENG Hotfix, 14.1.2.1.0.105.4-ENG Hotfix, 14.1.2.1.0.111.4-ENG Hotfix, 14.1.2.1.0.115.4-ENG Hotfix, 14.1.2.1.0.122.4-ENG Hotfix, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.0.120.11, 14.1.4.2, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 16.0.0, 16.0.1, 16.0.1.1, 16.0.1.1.9.6 & 16.1.0.

The flaw also resides in the following versions of BIG-IQ Centralized Management: 8.0.0, 8.0.0.1 & 8.1.0.

While the vulnerability received a high CVSS score, the risk of exploitation is reduced because the flaw must be exploited locally. To do this, threat actors must successfully authenticate to the affected system, eliminating the risk of a remote attack.

Even though the vulnerability has not been exploited in the wild, there are no patches to address it and an exploit is already publicly available, so it is important that administrators of affected deployments take extra precautions. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.