CVE-2021-23012
📋 TL;DR
This vulnerability allows authenticated users with Resource Administrator or Administrator roles on affected BIG-IP systems to execute arbitrary bash commands due to insufficient input validation in system support functionality. This could lead to complete system compromise. Affected versions include BIG-IP 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with root-level access, data exfiltration, lateral movement to other systems, and persistent backdoor installation.
Likely Case
Privilege escalation from Resource Administrator to full system control, configuration manipulation, and credential theft.
If Mitigated
Limited to authorized administrative users only, but still allows privilege boundary bypass within administrative roles.
🎯 Exploit Status
Exploitation requires authenticated access with specific administrative privileges. The vulnerability is in system support functionality with insufficient input validation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.0.1.1, 15.1.3, 14.1.4, 13.1.4
Vendor Advisory: https://support.f5.com/csp/article/K04234247
Restart Required: Yes
Instructions:
1. Download appropriate patch version from F5 Downloads. 2. Backup current configuration. 3. Apply patch using F5 upgrade procedures. 4. Reboot system as required. 5. Verify version after reboot.
🔧 Temporary Workarounds
Restrict Administrative Access
allLimit Resource Administrator and Administrator role assignments to only essential personnel. Implement strict access controls and monitoring for these roles.
Network Segmentation
allIsolate BIG-IP management interfaces from general network access. Restrict access to specific trusted IP addresses only.
🧯 If You Can't Patch
- Implement strict role-based access control and monitor all administrative user activities
- Segment BIG-IP management interfaces and restrict access to specific trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version via GUI (System > Platform) or CLI (tmsh show sys version). Compare against affected versions list.Check Version:
tmsh show sys version | grep VersionVerify Fix Applied:
Verify version is 16.0.1.1 or higher, 15.1.3 or higher, 14.1.4 or higher, or 13.1.4 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual bash command execution in system logs
- Unexpected administrative user activity in support functionality
- Commands with special characters in system support operations
Network Indicators:
- Unusual outbound connections from BIG-IP management interfaces
- Traffic patterns inconsistent with normal administrative operations
SIEM Query:
source="bigip" AND ("bash" OR "command" OR "exec") AND user_role="administrator" OR user_role="resource_admin"