CVE-2021-23023
📋 TL;DR
This CVE describes a DLL hijacking vulnerability in cachecleaner.dll within the BIG-IP Edge Client Windows Installer. Attackers can exploit this by placing a malicious DLL in a location where the application searches for it, potentially executing arbitrary code. Affected users are those running vulnerable versions of BIG-IP Edge Client on Windows systems.
💻 Affected Systems
- F5 BIG-IP Edge Client
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution with the privileges of the user running the Edge Client, potentially leading to lateral movement and data exfiltration.
Likely Case
Local privilege escalation or malware execution if an attacker can place a malicious DLL in a writable directory that the application searches.
If Mitigated
Limited impact if proper application whitelisting and DLL search path restrictions are enforced.
🎯 Exploit Status
Requires local access or ability to place malicious DLL in search path. DLL hijacking is a well-known attack vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.2.1.3 or 7.1.9.9 Update 1
Vendor Advisory: https://support.f5.com/csp/article/K33757590
Restart Required: Yes
Instructions:
1. Download the patched version from F5 support portal. 2. Uninstall the vulnerable Edge Client. 3. Install the patched version. 4. Restart the system.
🔧 Temporary Workarounds
Restrict DLL search paths
windowsUse Windows policies to restrict where applications can load DLLs from
Configure via Group Policy: Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > DLL Rules
Remove vulnerable component
windowsRemove or restrict access to cachecleaner.dll if not required
takeown /f "C:\Program Files\F5 Networks\Edge Client\cachecleaner.dll"
icacls "C:\Program Files\F5 Networks\Edge Client\cachecleaner.dll" /deny Everyone:(F)
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized DLL execution
- Restrict user permissions to prevent DLL placement in search paths
🔍 How to Verify
Check if Vulnerable:
Check Edge Client version in Control Panel > Programs and Features or via 'F5EdgeClient.exe --version' commandCheck Version:
"C:\Program Files\F5 Networks\Edge Client\F5EdgeClient.exe" --versionVerify Fix Applied:
Verify installed version is 7.2.1.3 or 7.1.9.9 Update 1 or later📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual locations
- Process Monitor logs showing cachecleaner.dll access attempts
Network Indicators:
- Unusual network connections from Edge Client process
SIEM Query:
source="windows" AND (event_id=7 OR event_id=11) AND process_name="F5EdgeClient.exe" AND dll_loaded="*cachecleaner.dll*"