DHS Warns of New Big-IP Vulnerabilities; NIST has not yet Provided Full Details
Last week CISA, part of DHS, issued a warning concerning two new remote code execution vulnerabilities in F5’s BIG-IP and BIG-IQ devices (found here). However, NIST, responsible for providing information on such vulnerabilities has not yet (as of 3/14/2021) provided detailed information on their site (for now, it is listed as “Reserved” on Mitre’s CVE site and does not appear in NIST’s NVD database – Mitre manages NIST’s vulnerability program). F5, the vendor of the vulnerable devices, has stated the vulnerabilities are considered critical. The two vulnerabilities in questions are CVE-2021-22986 and CVE-2021-22987. These vulnerabilities are about 4x and 2x more likely to be exploited than average according to CYR3CON’s machine learning. According to F5, these vulnerabilities can likely lead to denial of service and also lead to remote code execution in certain scenarios.
Perhaps even more risky is an associated vulnerability, CVE-2021-22992, which is over 9x more likely to be exploited than average. As of 3/14/21 Mitre and NIST have not posted any details (although here as well, F5 claims it to be a critical vulnerability). It is noteworthy that F5 states that this vulnerability, a buffer overflow, can result in complete system compromise.
There were over 3,600 new vulnerabilities released in 2021 (as of early March) and it is challenging for teams to have timely and accurate vulnerability prioritization information. Utilizing multiple sources, intelligence, and machine learning, can lead to faster and more accurate results less dependent on manual effort.
Screenshot on 3/14/21 from the CYR3CON platform for F5 vulnerability (CVE-2021-22992) – note that the CYR3CON platform obtained vulnerability description information from Chinese sources as NIST/Mitre have yet to post this information. CYR3CON provides similar information for the other F5 vulnerabilities including CVE-2021-22986 and CVE-2021-22987.
Screenshots (above and below) on 3/14/21 of Mitre’s and NIST’s information resources (CVE-2021-22992). Mitre/NIST resources also have not posted information for CVE-2021-22986 and CVE-2021-22987.
CYR3CON helps teams prioritize vulnerabilities and prevent breaches. Contact us today and learn how we've become the most accurate predictor of weaponized exploits, based on peer review.