Vulnerability CVE-2021-23012

Vulnerability Name:

CVE-2021-23012 (CCN-200922)

Assigned:

2021-04-28

Published:

2021-04-28

Updated:

2022-06-28

Summary:

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation for items used in the system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute arbitrary bash commands on BIG-IP.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS v3 Severity:

8.2 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
7.1 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): High User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.9 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N)
6.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): High User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): None

CVSS v2 Severity:

7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

6.2 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-78

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2021-23012

Source: XF
Type: UNKNOWN
f5-cve202123012-cmd-exec(200922)

Source: CCN
Type: F5 Security Advisory K04234247
Resource Administrator or Administrator role authenticated local command execution vulnerability CVE-2021-23012

Source: MISC
Type: Vendor Advisory
https://support.f5.com/csp/article/K04234247

Vulnerable Configuration:

Configuration 1:

cpe:/a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1.1)

OR cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1.1)

OR cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1.1)

OR cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1.1)

OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1.1)

OR cpe:/a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1.1)

OR cpe:/a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1.1)

OR cpe:/a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1.1)

OR cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1.1)

OR cpe:/a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.4)

OR cpe:/a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.4)

OR cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.4)

OR cpe:/a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1.1)

OR cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.4)

OR cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.4)

OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.4)

OR cpe:/a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.4)

OR cpe:/a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1.1)

OR cpe:/a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.4)

OR cpe:/a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.4)

OR cpe:/a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.4)

OR cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.4)

OR cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.4)

OR cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1.1)

OR cpe:/a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.4)

OR cpe:/a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1.1)

OR cpe:/a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1.1)

OR cpe:/a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.3)

OR cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.4)

OR cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.3)

OR cpe:/a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.4)

OR cpe:/a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* (Version >= 14.1.0 and <= 14.1.4)

OR cpe:/a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.3)

OR cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.4)

OR cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.3)

OR cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.4)

OR cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.3)

OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.4)

OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.3)

OR cpe:/a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.4)

OR cpe:/a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.3)

OR cpe:/a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.4)

OR cpe:/a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.3)

OR cpe:/a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.4)

OR cpe:/a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.3)

OR cpe:/a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.4)

OR cpe:/a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.3)

OR cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.4)

OR cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.3)

OR cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.4)

OR cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.3)

OR cpe:/a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.4)

OR cpe:/a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.3)

OR cpe:/a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.4)

OR cpe:/a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.4)

OR cpe:/a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.3)

Configuration CCN 1:

cpe:/a:f5:big-ip:13.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip:14.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip:15.0.0:*:*:*:*:*:*:*

OR cpe:/o:f5:big-ip:13.1.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK