CVE-2021-23015

Q: What is the severity of CVE-2021-23015?

CVE-2021-23015 has a CVSS score of 7.2 (HIGH). This vulnerability allows authenticated BIG-IP administrators to bypass Appliance Mode security restrictions using undisclosed iControl REST endpoints. It affects BIG-IP systems running specific versions in Appliance Mode configuration. Attackers with administrator credentials could potentially perform actions that should be restricted in Appliance Mode.

7.2 HIGH

Authentication Bypass

📋 TL;DR

This vulnerability allows authenticated BIG-IP administrators to bypass Appliance Mode security restrictions using undisclosed iControl REST endpoints. It affects BIG-IP systems running specific versions in Appliance Mode configuration. Attackers with administrator credentials could potentially perform actions that should be restricted in Appliance Mode.

💻 Affected Systems

Products:

F5 BIG-IP

Versions: BIG-IP 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.0.8 through 13.1.3.6, and all versions of 16.0.x

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when running in Appliance Mode configuration. Software versions which have reached End of Technical Support (EoTS) are not evaluated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated malicious administrator could bypass all Appliance Mode restrictions, potentially gaining full system control, accessing restricted data, or modifying critical configurations that should be locked down.

🟠

Likely Case

An administrator with legitimate credentials but malicious intent could bypass specific Appliance Mode restrictions to perform unauthorized actions that violate security policies.

🟢

If Mitigated

With proper access controls and monitoring, the impact is limited to authorized administrators who might bypass some restrictions but would still be subject to audit trails.

🌐 Internet-Facing: MEDIUM - While exploitation requires administrator credentials, internet-facing BIG-IP systems could be targeted if credentials are compromised.

🏢 Internal Only: HIGH - Internal administrators with legitimate access could exploit this vulnerability to bypass security controls and violate security policies.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated administrator access and knowledge of undisclosed iControl REST endpoints. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BIG-IP 15.1.3, 14.1.4.2, 13.1.3.7, and 16.1.0

Vendor Advisory: https://support.f5.com/csp/article/K74151369

Restart Required: Yes

Instructions:

1. Download appropriate patch from F5 Downloads site. 2. Backup current configuration. 3. Apply patch following F5 upgrade procedures. 4. Reboot system as required. 5. Verify patch installation and functionality.

🔧 Temporary Workarounds

Disable Appliance Mode

all

If Appliance Mode is not required, disable it to remove the vulnerability surface.

tmsh modify sys db provision.extramb value 0
tmsh save sys config

Restrict iControl REST Access

all

Limit access to iControl REST endpoints to trusted IP addresses only.

tmsh modify /sys httpd allow replace-all-with { trusted_ip_ranges }

🧯 If You Can't Patch

Implement strict access controls and monitoring for administrator accounts
Disable Appliance Mode if not required for your deployment

🔍 How to Verify

Check if Vulnerable:

Check BIG-IP version with 'tmsh show sys version' and verify if running in Appliance Mode with affected versions.

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify installed version is patched with 'tmsh show sys version' and confirm version is 15.1.3+, 14.1.4.2+, 13.1.3.7+, or 16.1.0+.

📡 Detection & Monitoring

Log Indicators:

Unusual iControl REST endpoint access by administrators
Configuration changes that should be restricted in Appliance Mode
Failed attempts to access restricted endpoints

Network Indicators:

Unusual REST API traffic patterns from administrator accounts
Access to undocumented iControl endpoints

SIEM Query:

source="bigip" AND ("iControl" OR "REST") AND user_role="Administrator" AND action="modify"

📊 Metadata

CVE ID: CVE-2021-23015

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: May 10, 2021

Last Updated: November 21, 2024

🔗 References

https://support.f5.com/csp/article/K74151369 Vendor Advisory
https://support.f5.com/csp/article/K74151369 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Ssl Orchestrator by F5

Big Ip Ssl Orchestrator by F5

Big Ip Ssl Orchestrator by F5

Big Ip Ssl Orchestrator by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Appliance Mode

Restrict iControl REST Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata