F5 Patches High Severity RCE Vulnerability in BIG-IP

As part of F5’s monthly security advisory, a high severity Remote Code Execution vulnerability affecting ALL BIG-IP modules was patched. 

Additionally, F5 has disclosed multiple other vulnerabilities affecting BIG-IP and BIG-IQ products. 

For the full list of addressed vulnerabilities and mitigations, review the full F5 Monthly Security Advisory. 

The Vulnerability

An authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility. 

This vulnerability may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services.  

This vulnerability may result in complete system compromise. 

Affected Products

BIG-IP (All Modules), versions: 

  • 15.0.0 – 15.1.0, fixed in 15.1.0.5 
  • 14.1.0 – 14.1.3, fixed in 14.1.3.1 
  • 13.1.0 – 13.1.3, fixed in 13.1.3.5 
  • 12.1.0 – 12.1.6, won’t be fixed, apply workaround. 
  • 11.6.1 – 11.6.5, won’t be fixed, apply workaround. 

Mitigation

  • BIG-IP version 16.x is not vulnerable.  
  • If you are running vulnerable BIG-IP versions 13.x – 15.x, update the product to a fixed version (as written under the ‘Affected Products’ section) or newer. 
  • If you are running vulnerable BIG-IP versions 11.x – 12.x which has no fix, or you are unable to update a fixable version, review and apply the workarounds from the ‘Workaround’ section below. 

Workaround

Until it is possible to install a fixed version, use the following workarounds to mitigate the vulnerability: 

  • Block Configuration utility access through self IP addresses 

You can block all access to the Configuration utility of your BIG-IP system using self IP addresses. To do so, you can change the Port Lockdown setting to Allow None for each self IP address on the system.  

If you must open any ports, you should use the Allow Custom option, taking care to block access to the Configuration utility.  

By default, the Configuration utility listens on TCP port 443. If you modified the default port, ensure that you block access to the alternate port you configured. 

Note: Performing this action prevents all access to the Configuration utility and iControl REST using the self IP address. These changes may also impact other services, including breaking high availability (HA) configurations. 

Before you make changes to the configuration of yourself IP addresses, F5 strongly recommends that you refer to the following articles:  

If you must expose port 443 on yourself IP addresses and want to restrict access to specific IP ranges, you may consider using the packet filtering functionality built into the BIG-IP system. For more information, refer to the following article: 

Block Configuration utility access through the management interface

To mitigate this vulnerability for affected F5 products, you should restrict management access only to trusted users and devices to F5 products over a secure network. For more information about securing access to BIG-IP systems, refer to the following articles: 

For more information regarding this vulnerability and mitigation procedure, visit the BIG-IP K55543151 Security Advisory. 

References: F5 Security Advisories 

Sign Up for Updates