CVE-2021-22980
📋 TL;DR
This CVE describes an untrusted search path vulnerability in F5 BIG-IP APM Client Troubleshooting Utility (CTU) for Windows. Attackers can exploit this by placing a malicious DLL in the same directory as the utility, which gets loaded when a user runs the CTU tool. Only Windows systems running specific vulnerable versions of the Edge Client are affected.
💻 Affected Systems
- F5 BIG-IP APM Client Troubleshooting Utility (CTU)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution with the privileges of the user running the CTU utility, potentially leading to lateral movement and data exfiltration.
Likely Case
Local privilege escalation or malware execution on the affected Windows system, potentially leading to credential theft or persistence mechanisms.
If Mitigated
Limited impact due to user interaction requirement and proper access controls preventing unauthorized users from placing files in CTU directories.
🎯 Exploit Status
Exploitation requires user interaction (victim must run the CTU utility) and ability to place malicious DLL in the same directory as the utility.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Edge Client 7.2.1.1, 7.1.9.8, or 7.1.8.5 and later
Vendor Advisory: https://support.f5.com/csp/article/K29282483
Restart Required: Yes
Instructions:
1. Download the patched version from F5 Downloads. 2. Uninstall the vulnerable Edge Client. 3. Install the patched version. 4. Restart the system.
🔧 Temporary Workarounds
Restrict CTU Directory Permissions
windowsLimit write access to the CTU utility directory to prevent unauthorized DLL placement
icacls "C:\Program Files\F5 Networks\APM\CTU" /deny Everyone:(OI)(CI)W
Disable CTU Utility
windowsRemove or restrict execution of the CTU utility if not required
takeown /f "C:\Program Files\F5 Networks\APM\CTU\ctu.exe" /r
icacls "C:\Program Files\F5 Networks\APM\CTU\ctu.exe" /deny Everyone:(OI)(CI)RX
🧯 If You Can't Patch
- Implement strict file system permissions to prevent unauthorized users from writing to CTU directories
- Educate users not to run the CTU utility from untrusted directories or with elevated privileges
🔍 How to Verify
Check if Vulnerable:
Check Edge Client version via Control Panel > Programs and Features or run 'apmclient.exe --version' from command lineCheck Version:
apmclient.exe --versionVerify Fix Applied:
Verify installed version is 7.2.1.1, 7.1.9.8, or 7.1.8.5 or later📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing CTU execution from unusual directories
- Process creation events for ctu.exe with suspicious parent processes
Network Indicators:
- Unusual outbound connections from systems running CTU utility
SIEM Query:
Process Creation where ImagePath ends with 'ctu.exe' and CommandLine contains unusual parameters