The closing week of August, vendors VMware, Cisco and F5 have announced several vulnerabilities along with their security updates, impacting their respective products.
Please find below a brief summary of the impact a possible attack on the appliances may have, and mitigation recommendations
VMware
Arbitrary file read vulnerability in vRealize Operations Manager API CVE-2021-22022/CVE-2021-22024
Severity: Moderate/Important
An arbitrary file read vulnerability can be exploited in the vRealize Operations Manager API. An attacker with administrative access to vRealize Operations Manager API can read any arbitrary file on server leading to information disclosure.
Insecure direct object reference vulnerability in vRealize Operations Manager API CVE-2021-22023
Severity: Moderate
An insecure object reference vulnerability in the vRealize Operations Manager API was discovered. A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover.
Broken access control vulnerability in vRealize Operations Manager API CVE-2021-22025
Severity: Important
The vRealize Operations Manager API contains a broken access control vulnerability leading to unauthenticated API access. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster.
Mitigation
Download and install the correct Security Patch version that matches your version of vRealize Operations. Download the vRealize Operations Security Patch PAK file from the VMware Patch Portal. For more information on patching, please refer to this link
Cisco
Cisco Application Policy Infrastructure Controller Arbitrary File Read and Write Vulnerability CVE-2021-1577
Severity: 9.1 (Critical)
A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an unauthenticated, remote attacker to read or write arbitrary files on an affected system.
This vulnerability is due to improper access control. An attacker could exploit this vulnerability by using a specific API endpoint to upload a file to an affected device. A successful exploit could allow the attacker to read or write arbitrary files on an affected device.
Cisco NX-OS Software VXLAN OAM (NGOAM) Denial of Service Vulnerability CVE-2021-1587
Severity: 8.6 (High)
A vulnerability in the VXLAN Operation, Administration, and Maintenance (OAM) feature of Cisco NX-OS Software, known as NGOAM, could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
Although the NGOAM feature should be disabled by default, this vulnerability is due to improper handling of specific packets with a Transparent Interconnection of Lots of Links (TRILL) OAM EtherType. An attacker could exploit this vulnerability by sending crafted packets. A successful exploit could allow the attacker to cause an affected device to experience high CPU usage and consume excessive system resources, which may result in overall control plane instability and cause the affected device to reload.
This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco NX-OS Software, they have the NGOAM feature enabled, and they are configured with a virtual port channel (vPC) peer:
- Nexus 3000 Series Switches
- Nexus 9000 Series Switches in standalone NX-OS mode
Mitigation
Cisco has released free software updates that address the vulnerabilities described in the advisories of each product in the following link. It is advised to update during non-working hours and verify that you have performed a backup of the previous state first
F5
F5 has addressed more than a dozen high-severity vulnerabilities in multiple products, they include authenticated remote command execution flaws, cross-site scripting (XSS) issues, request forgery bugs, along insufficient permission and denial-of-service flaws, including an issue that is considered as critical severity when exploited under specific conditions. An authenticated attacker with access to the Configuration utility can trigger the flaw to execute arbitrary system commands, create or delete files, and/or disable services. The issue could allow an attacker to completely compromise the network device.
BIG-IP TMUI vulnerability CVE-2021-23025
Severity: 7.2 (High)
An authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility.
iControl SOAP vulnerability CVE-2021-23026
Severity: 7.5 (High)
BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.
TMUI XSS vulnerability CVE-2021-23027
CVSS score: 7.5 (High)
A DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.
BIG-IP Advanced WAF and ASM vulnerability CVE-2021-23028, CVE-2021-23029
Severity: 7.5 (High)
When JSON content profiles are configured for URLs as part of an F5 Advanced Web Application Firewall (WAF)/BIG-IP ASM security policy and applied to a virtual server, undisclosed requests may cause the BIG-IP ASM bd process to terminate.
Insufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (SSRF) attacks through F5 Advanced Web Application Firewall (WAF) and the BIG-IP ASM Configuration utility.
BIG-IP Advanced WAF and ASM Websocket vulnerability CVE-2021-23030
Severity: 7.5 (High)
When a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate.
BIG-IP Advanced WAF and ASM TMUI vulnerability CVE-2021-23031
Severity: 8.8 (High) / 9.9 (Appliance Mode Only)
Note: The limited number of customers using Appliance Mode will have Scope: Changed, which raises the CVSSv3 score to 9.9. For information on Appliance mode, refer to K12815: Overview of Appliance mode.
An authenticated user may perform a privilege escalation on BIG-IP Advanced WAF and ASM TMUI.
BIG-IP DNS vulnerability CVE-2021-23032
Severity: 7.5 (High)
When a BIG-IP DNS system is configured with non-default Wide IP and pool settings, undisclosed DNS responses can cause the Traffic Management Microkernel (TMM) to terminate.
BIG-IP Advanced WAF and ASM Websocket vulnerability CVE-2021-23033
Severity: 7.5 (High)
When a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate.
BIG-IP TMM vulnerability CVE-2021-23034
Severity: 7.5 (High)
When a DNS profile using a DNS cache resolver is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate.
TMM vulnerability CVE-2021-23035, CVE-2021-23036
Severity: 7.5 (High)
When an HTTP profile is configured on a virtual server, after a specific sequence of packets, chunked responses can cause the Traffic Management Microkernel (TMM) to terminate.
When a BIG-IP ASM and DataSafe profile are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.
TMUI XSS vulnerability CVE-2021-23037
Severity: 7.5 (High)
A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.
Mitigation
Updates are available to remediate these vulnerabilities in affected F5 products. It is advised to perform the provided updates as fast as possible to eliminate the risk posed by these vulnerabilities. For more information on security updating please consult the following link provided by F5.