CVE-2021-23037
📋 TL;DR
This is a reflected cross-site scripting (XSS) vulnerability in the BIG-IP Configuration utility that allows attackers to execute malicious JavaScript in the context of logged-in administrators. All BIG-IP users running affected versions are vulnerable. The vulnerability requires an attacker to trick an authenticated user into clicking a malicious link.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the BIG-IP system, allowing attacker to steal administrator credentials, modify configurations, create backdoors, or pivot to internal networks.
Likely Case
Session hijacking leading to unauthorized configuration changes, data exfiltration, or installation of malicious scripts.
If Mitigated
Limited impact due to proper access controls, network segmentation, and user awareness preventing successful social engineering.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users. The specific vulnerable page is undisclosed by F5.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in 17.0.0, 16.1.3.2, 16.0.1.3, 15.1.5.1, 14.1.4.6, 13.1.5, and later maintenance releases
Vendor Advisory: https://support.f5.com/csp/article/K21435974
Restart Required: Yes
Instructions:
1. Download appropriate patch from F5 Downloads. 2. Backup current configuration. 3. Apply patch following F5 upgrade procedures. 4. Restart BIG-IP system. 5. Verify fix and functionality.
🔧 Temporary Workarounds
Restrict Configuration Utility Access
allLimit access to the Configuration utility to trusted networks only using firewall rules or network segmentation.
Implement Content Security Policy
allAdd CSP headers to prevent execution of unauthorized scripts.
🧯 If You Can't Patch
- Implement strict network access controls to limit Configuration utility access to trusted IPs only
- Enable multi-factor authentication for all administrative accounts
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version using 'tmsh show sys version' and compare against affected versions listCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify installed version is patched using 'tmsh show sys version' and confirm it's not in vulnerable range📡 Detection & Monitoring
Log Indicators:
- Unusual Configuration utility access patterns
- Suspicious URL parameters in web logs
- Multiple failed login attempts followed by successful access
Network Indicators:
- HTTP requests with suspicious JavaScript payloads in URL parameters
- Traffic to Configuration utility from unexpected sources
SIEM Query:
source="bigip_logs" AND (url="*<script>*" OR url="*javascript:*" OR url="*onerror=*" OR url="*onload=*")