A recent vulnerability found in F5 BIG IP, assigned CVE-2021-22986. The vulnerability allows unauthenticated remote attackers to execute arbitrary code on vulnerable BIG-IP devices.
On March 10th F5 published a security advisory with 21 CVEs. The most critical one (CVE-2021-22986) can be exploited for unauthenticated remote code execution attacks. In the past week, several security researchers have reverse engineered the Java software patch published by BIG-IP and posted tweets and blogs with detailed POCs. We observed multiple exploitation attempts against our customers in the last 4 days.
Cloud WAF customers and On-Prem customers that have “SecureSphere Emergency Feed” (THR feeds) are already protected OOTB.
Below are manual mitigation steps to address F5 BIG IP Exploitation (for On-Prem customers):
- Create a new manual dictionary or use an existing one
- Create a new signatures (inside the dictionary from the previous step) with the following definition:
- Signature name:CVE-2021-22986: F5 BIG-IP iControl RCE - 1
- Signature pattern:part="/mgmt/tm/util/bash", part="command", part="utilCmdArgs"
- Search Signature in:
Urls And Parameters
3. Create a new “HTTP Protocol Signatures” policy that uses the dictionary from step 1 and apply it#On-PremisesWAF(formerlySecuresphere)