Vulnerabilities in software from network traffic management and security firm F5 Networks Inc. could allow attackers to exploit F5 customers and steal data.

The vulnerabilities, most patched in new software updates, were disclosed by F5 on Wednesday. The 29 vulnerabilities run a gauntlet of issues, with the highest having a Common Vulnerability Scoring System score of 8.8. Thirteen of the 29 vulnerabilities were rated as high-severity.

The 8.8 vulnerability, formally named, CVE-2021-23031, affects BIG-IP Advanced WAF and BIG-IP ASM. The vulnerability would allow an authenticated user to perform a privilege escalation. Having gained access to the Configuration utility, an authenticated hacker could execute arbitrary system commands, create or delete files, or disable services. It’s noted that the vulnerability may result in complete system compromise.

F5 did warn, though, that because the main vulnerability can be accessed by any authenticated user, there’s no overall “viable mitigation.” Although it has patched the access path for a hacker, any legitimate authenticated user can still exploit the vulnerability. The only way to mitigate the risk is to remove access to any users who are not entirely trusted to have the access to begin with.

“Since F5’s products are used in many hosting and large enterprise applications, users should check the F5 advisories to check if their equipment is vulnerable,” Sean Nikkel, senior cyberthreat intelligence analyst at digital risk protection service provider Digital Shadows Ltd., told SiliconANGLE. “Attackers gaining control of any of those listed devices, specifically the web application firewall, could wreak havoc across an estate.”

With so many higher-level vulnerabilities listed, organizations must patch them as soon as possible or risk compromise to critical areas of the infrastructure, Nikkel added. “If it can’t be done, steps should be taken to mitigate the risk and at least deploy some of the best practice recommendations from F5, like allowing only trusted, authenticated users to access some of the applications,” he said.

Jonathan Chua, application security consultant at application security provider nVisium LLC, noted that F5 Big IP has been targeted by security researchers and adversaries.

“Several F5 application services can be hosted externally, allowing any internet user to attempt to connect to the service.,” Chua explained. “Due to the ease of accessibility and the amount of publicly known vulnerabilities associated with F5 applications, the service becomes a prime target for adversaries to break into a company’s network via the external perimeter.”

Yaniv Bar-Dayan, co-founder and chief executive of software-as-a-service cybesecurity risk remediation company Vulcan Cyber Ltd., said that “even though 29 vulnerabilities, with many being high severity, across several F5 devices may seem like a high number, it is par for the course for any notable enterprise tech provider and is a relative drop in the bucket considering the tens of thousands of vulnerabilities disclosed every year.”

Photo: F5 Networks