Message from F5 Network – To Whom it may concern (11-03-2021)

Preface: From technical point of view, attacker cast the returned void* to an int* and start using it. It is one of the modern cyber attack technique.

Background: Attacker would have to overwrite the return address to an address such as ”…………….“ where there would be a “JMP RSP” instruction, and continue with their shellcode after this address. In such a way let some hardening system appliance also become vulnerable. Can we say this is a design weakness of coding? Or whether is the memory protection not been enough.

Technical details: The F5 BIG-IP offers many programmable interfaces, from control-plane to data-plane.
iControl REST – REST-based API for imperative configuration and service control of BIG-IP from remote applications.
iControl (SOAP) – SOAP-based API for imperative configuration and service control of BIG-IP from remote applications.

Vulnerability details:

CVE-2021-22986 – The iControl REST interface has an unauthenticated remote command execution vulnerability. CVSS score: 9.8 (Critical)
CVE-2021-22987 – When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. CVSS score: 9.9 (Critical)

Official announcement: https://support.f5.com/csp/article/K02566623

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.