F5 Warns of Critical Bug Allowing Remote Code Execution in BIG-IP Systems

Application service provider F5 is warning a critical vulnerability allows unauthenticated hackers with network access to execute arbitrary commands on its BIG-IP systems. The F5 BIG-IP is a combination of software and hardware that is designed around access control, application availability and security solutions. According to F5, the flaw resides in the representational state transfer (REST) interface for the iControl framework which is used to communicate between the F5 devices and users. Threat actors can send undisclosed requests and leverage the flaw to bypass the iControl REST authentication and access the F5 BIG-IP systems, an attacker can execute arbitrary commands, create or delete files or disable servers. “This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” said F5 in an advisory. “There is no data plane exposure; this is a control plane issue only,” they added. A self-IP address is an IP address on a BIG-IP system, that a customer uses to associate with VLAN. The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert and advised users to apply the required updates. Affected Versions The security vulnerability that affects the BIG-IP product version are: 1.0 to 16.1.2 1.0 to 15.1.5 1.0 to 14.1.4 1.0 to 13.1.4 1.0 to 12.1.6 6.1 to 11.6.5 The F5 will not introduce…