Critical F5 BIG-IP vulnerability (CVE-2021-22986) under active attack

Security researchers are warning of mass scans and active exploits of a Critical vulnerability on F5 BIG-IP and BIG-IQ infrastructure. F5 patched the Critical remote code execution vulnerability CVE-2021-22986 nearly two weeks ago when the networking company confirmed an unauthenticated attacker could exploit the vulnerability in the iControl REST interface to execute arbitrary system commands, create or delete files, and disable services.

Security firm NCC Group spotted exploitation attempts against the F5 BIG-IP/BIG-IQ iControl REST API vulnerability CVE-2021-22986 this past week. Moreover, the security team also observed a “full chain exploitation” from two IPs: 67.216.209[.]142 and 68.183.179[.]130 as recently as March 19.

As revealed in a blog post, Rich Warren and Sander Laarhoven of NCC Group observed multiple exploitation attempts against their honeypot infrastructure.

“This knowledge, combined with having reproduced the full exploit-chain we assess that a public exploit is likely to be available in the public domain soon,” NCC group explained.

Since the patch was released, researchers posted multiple Proof of Concepts (PoCs), to include a new variant posted to Twitter as recently as March 20 that doesn’t require SSRF.

F5 BIG-IP iControl Unauthenticated Remote Command Execution (CVE-2021-22986) POC ?#RCE #Exploit pic.twitter.com/87fvLVu74I

— Germán Fernández ?? (@1ZRR4H) March 20, 2021

Furthermore, Bad Packets also tweeted out a warning of “mass scanning activity detected” looking for vulnerable F5 infrastructure:

Opportunistic mass scanning activity detected from the following hosts checking for F5 iControl REST endpoints vulnerable to remote command execution (CVE-2021-22986).

112.97.56.78 (??)
13.70.46.69 (??)
115.236.5.58 (??)

Vendor advisory: https://t.co/MsZmXEtcTn #threatintel

— Bad Packets (@bad_packets) March 19, 2021

Other F5 vulnerabilities

In addition to CVE-2021-22986, F5 also patched three other Critical vulnerabilities in the F5 security advisories released March 10:

• CVE-2021-22987: Appliance Mode TMUI authenticated remote command execution vulnerability (CVSS score: 9.9)
• CVE-2021-22991: TMM buffer-overflow vulnerability (CVSS score: 9.0)
• CVE-2021-22992: Advanced WAF/ASM buffer-overflow vulnerability (CVSS score: 9.0).

Finally, F5 also patched two High severity vulnerabilities (CVE-2021-22988 and CVE-2021-22989), as well as a Medium severity bug (CVE-2021-22990).

Related Articles

• F5 patches 4 Critical vulnerabilities
• F5 patches Critical RCE vulnerability (CVE-2020-5902) in BIG-IP configuration utility
• APT actors exploit legacy internet-facing vulnerabilities in combination with Zerologon to target organizations
• Chinese threat actors targeting U.S. government agencies and these 4 CVEs