CVE-2021-23029
📋 TL;DR
This vulnerability allows authenticated users with guest privileges in F5 Advanced WAF and BIG-IP ASM Configuration utility to perform Server-Side Request Forgery attacks. Attackers can make the vulnerable system send requests to internal or external resources, potentially accessing sensitive information. Only version 16.0.x before 16.0.1.2 is affected.
💻 Affected Systems
- F5 Advanced Web Application Firewall (WAF)
- BIG-IP ASM Configuration utility
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal systems, exfiltrate sensitive data, or pivot to other network resources by making the vulnerable system send requests to internal services.
Likely Case
Unauthorized access to internal APIs, metadata services, or other resources accessible from the vulnerable system's network position.
If Mitigated
Limited impact if proper network segmentation and access controls prevent the vulnerable system from reaching sensitive internal resources.
🎯 Exploit Status
Requires authenticated guest user access. The vulnerability is in permission checks, making exploitation straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.0.1.2 or later
Vendor Advisory: https://support.f5.com/csp/article/K52420610
Restart Required: Yes
Instructions:
1. Download the patch from F5 Downloads site. 2. Backup current configuration. 3. Apply the patch following F5 upgrade procedures. 4. Restart the system. 5. Verify the version is 16.0.1.2 or later.
🔧 Temporary Workarounds
Disable guest accounts
allRemove or disable guest user accounts to prevent exploitation
tmsh modify auth user guest disabled yes
Restrict network access
allImplement network segmentation to limit what the vulnerable system can reach
🧯 If You Can't Patch
- Disable all guest user accounts immediately
- Implement strict network segmentation and firewall rules to limit outbound connections from the vulnerable system
🔍 How to Verify
Check if Vulnerable:
Check if running version 16.0.x and version is earlier than 16.0.1.2. Verify guest accounts exist and are enabled.Check Version:
tmsh show sys versionVerify Fix Applied:
Confirm version is 16.0.1.2 or later using 'tmsh show sys version' and verify guest accounts are disabled or removed.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from the WAF/ASM system
- Guest user account activity
- Requests to internal IP ranges from the system
Network Indicators:
- Unexpected outbound connections from the WAF/ASM system to internal services
- Traffic patterns suggesting SSRF attempts
SIEM Query:
source="f5-bigip" AND (user="guest" OR (http_request AND dest_ip IN [internal_ranges]))