Now it is F5’s turn to reveal critical security bugs – and the Feds were quick to sound the alarm on these BIG-IP flaws

Remote code execution, denial of service, API abuse possible. Meanwhile, FBI pegs China for Exchange hacks

Security and automation vendor F5 has warned of seven patch-ASAP-grade vulnerabilities in its Big-IP network security and traffic-grooming products, plus another 14 vulns worth fixing.

An advisory dated today lists seven CVEs, four rated critical.

Most of the bugs concern TMUI – the Traffic Management User Interface that users work with to drive F5 products – and they can be exploited to achieve remote code execution, denial of service attacks, or complete device takeovers; sometimes all three. The iControl REST API that F5 offers to automate its products is also problematic.

To kick off, there's CVE-2021-22987, which scores a 9.9 on the ten-point CVSS scale of severity as it “allows authenticated users with network access to the Configuration utility, through the BIG-IP management port, or self IP addresses, to execute arbitrary system commands, create or delete files, or disable services.” Administrators are advised the flaw allows “complete system compromise and breakout of Appliance mode.” Note that this can only be exploited via the control plane, and it does require an attacker to have a valid login – so a rogue insider or someone using stolen credentials, perhaps.

At a mere 9.8 rating, CVE-2021-22986 “allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services.” Complete system compromise is again a possible consequence. We note that this doesn't require authentication, is also only exploitable via the control plane, and yet scores lower than '22987. That's because the latter bug changes the security scope when exploited, apparently.

CVE-2021-22991 and CVE-2021-22992 each score mere 9.0 each.

china hacking

What do F5, Citrix, Pulse Secure all have in common? China exploiting their flaws to hack govt, biz – Feds


If your installation is vulnerable to '22991, “undisclosed requests to a virtual server may be incorrectly handled by Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack." Breaking URL based access control or allowing remote code execution (RCE) are other possible consequences. Google Project Zero's Felix Wilhelm has more technical details here.

The '22992 flaw is also a potential horror show. F5 says: “A malicious HTTP response to an Advanced WAF/ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise.” Google's Wilhelm has a proof-of-concept exploit and more info here.

You’re not out of the woods yet, dear reader, because the next on the list has an 8.8 CVSS rating, so is still very unpleasant. CVE-2021-22988 means that BIG-IP’s Traffic Management User Interface "has an authenticated remote command execution vulnerability in undisclosed pages."

CVE-2021-22989 throttles back the horror with its 8.0 rating, but it allows “highly privileged authenticated users … to execute arbitrary system commands, create or delete files, or disable services.” Complete system compromise and breakout of Appliance mode are again possible.

The runt of the litter, with a 6.6 rating, is CVE-2021-22990.

Fixes are in if you upgrade BIG-IP to versions,, 14.1.4,,, and CVE-2021-22986 impacts another F5 product, BIG-IQ, and can be fixed with an upgrade to versions 8.0.0,, and

F5’s warning about the seven nasties also drops in a mention that it has released details of 14 other CVEs impacting unrelated to those described above. They’re listed here.

European Banking Authority HQ at 20 Avenue André Prothin, Paris

European Banking Authority restores email service in wake of Microsoft Exchange hack


The seven main bugs are bad enough that America's Cyberspace and Infrastructure Agency (CISA) issued an advisory in which it “encourages users and administrators review the F5 advisory and install updated software as soon as possible.” That's perhaps because foreign miscreants have exploited F5 holes in the past to sneak into networks belonging to Uncle Sam and big business.

CISA and the FBI have also published a Joint Cybersecurity Advisory [PDF] detailing last week’s year-ruining bugs in Microsoft’s Exchange Server.

The dossier says observed attacks exploiting the Exchange flaws are “consistent with previous targeting activity by Chinese cyber actors.”

“Illicitly obtained business information, advanced technology, and research data may undermine business operations and research development of many U.S. companies and institutions,” the document added.

It identifies “local governments, academic institutions, non-governmental organizations, and business entities in multiple industry sectors, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical,” has having been attacked via Microsoft’s mistakes. ®

Narrower topics

Other stories you might like

  • FBI warning: Crooks are using deepfake videos in interviews for remote gigs
    Yes. Of course I human. Why asking? Also, when you give passwords to database?

    The US FBI issued a warning on Tuesday that it was has received increasing numbers of complaints relating to the use of deepfake videos during interviews for tech jobs that involve access to sensitive systems and information.

    The deepfake videos include a video image or recording convincingly manipulated to misrepresent someone as the "applicant" for jobs that can be performed remotely. The Bureau reports the scam has been tried on jobs for developers, "database, and software-related job functions". Some of the targeted jobs required access to customers' personal information, financial data, large databases and/or proprietary information.

    "In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually," said the FBI in a public service announcement.

    Continue reading
  • LGBTQ+ folks warned of dating app extortion scams
    Uncle Sam tells of crooks exploiting Pride Month

    The FTC is warning members of the LGBTQ+ community about online extortion via dating apps such as Grindr and Feeld.

    According to the American watchdog, a common scam involves a fraudster posing as a potential romantic partner on one of the apps. The cybercriminal sends explicit of a stranger photos while posing as them, and asks for similar ones in return from the mark. If the victim sends photos, the extortionist demands a payment – usually in the form of gift cards – or threatens to share the photos on the chat to the victim's family members, friends, or employer.

    Such sextortion scams have been going on for years in one form or another, even attempting to hit Reg hacks, and has led to suicides.

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – and – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • Former chip research professor jailed for not disclosing Chinese patents
    This is how Beijing illegally accesses US tech, say Feds

    The former director of the University of Arkansas’ High Density Electronics Center, a research facility that specialises in electronic packaging and multichip technology, has been jailed for a year for failing to disclose Chinese patents for his inventions.

    Professor Simon Saw-Teong Ang was in 2020 indicted for wire fraud and passport fraud, with the charges arising from what the US Department of Justice described as a failure to disclose “ties to companies and institutions in China” to the University of Arkansas or to the US government agencies for which the High Density Electronics Center conducted research under contract.

    At the time of the indictment, then assistant attorney general for national security John C. Demers described Ang’s actions as “a hallmark of the China’s targeting of research and academic collaborations within the United States in order to obtain U.S. technology illegally.” The DoJ statement about the indictment said Ang’s actions had negatively impacted NASA and the US Air Force.

    Continue reading
  • Five Eyes alliance’s top cop says techies are the future of law enforcement
    Crims have weaponized tech and certain States let them launder the proceeds

    Australian Federal Police (AFP) commissioner Reece Kershaw has accused un-named nations of helping organized criminals to use technology to commit and launder the proceeds of crime, and called for international collaboration to developer technologies that counter the threats that behaviour creates.

    Kershaw’s remarks were made at a meeting of the Five Eyes Law Enforcement Group (FELEG), the forum in which members of the Five Eyes intelligence sharing pact – Australia, New Zealand, Canada, the UK and the USA – discuss policing and related matters. Kershaw is the current chair of FELEG.

    “Criminals have weaponized technology and have become ruthlessly efficient at finding victims,” Kerhsaw told the group, before adding : “State actors and citizens from some nations are using our countries at the expense of our sovereignty and economies.”

    Continue reading

Biting the hand that feeds IT © 1998–2022