2:00pm, 12 March 2021
TLP Rating:
Critical vulnerabilities affecting F5 devices
F5 has released security updates for a series of critical vulnerabilities in its BIG-IP and BIG-IQ devices. One of these vulnerabilities would allow a user with unauthenticated access to the iControl interface, to achieve remote code execution and compromise of the device.
The updates also address authenticated remote code execution vulnerabilities and denial-of-service vulnerabilities which can be remotely exploited by an unauthenticated user, and may lead to remote code execution.
What's happening
Systems affected
BIG-IP versions:
- 16.0.0 - 16.0.1
- 15.1.0 - 15.1.2
- 14.1.0 - 14.1.3.1
- 13.1.0 - 13.1.3.5
- 12.1.0 - 12.1.5.2
BIG-IQ versions:
- 7.1.0 - 7.1.0.2
- 7.0.0 - 7.0.0.1
- 6.0.0 - 6.1.0
What this means
F5 has issued security updates to address these vulnerabilities for the affected versions, detailed above. For further information on the specific vulnerabilities, see their advisory.
What to look for
How to tell if you're at risk
You could be affected by these vulnerabilities if you're using the versions of BIG-IP or BIG-IQ detailed above. Please see the F5 advisory to determine which vulnerabilities are likely to affect your devices.
What to do
Prevention
CERT NZ recommends that you update your devices with the latest security updates released by F5 as soon as possible.
Mitigation
There is mitigation advice available on the F5 advisory, such as restricting access to the control plane interfaces iControl/TMUI, and any configuration specific mitigations. However, CERT NZ strongly recommends that users of affected F5 products apply the security updates as soon as possible.
More information
F5’s FAQs on the vulnerabilities External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE media team on 027 442 2141.