Cybersecurity specialists reported the finding of a critical vulnerability in F5 BIG-IP whose exploitation would allow unauthenticated threat actors to execute arbitrary code in the affected implementations.

Tracked as CVE-2021-20305, this flaw resides in versions of the F5 BIG-IP Nettle component prior to v3.7.2, where Nettle’s signature verification functions result in the elliptic curve cryptography (ECC) point multiplication function being invoked without rank scalers, which could lead to incorrect process resolution.

The vulnerability would allow threat actors to force an invalid signature, causing a claim error or possible validation. The greatest threat to this vulnerability is the confidentiality, integrity, and availability of the target system.

This flaw received a score of 7.4/10 according to the Common Vulnerability Scoring System (CVSS) and its exploitation would allow unauthenticated remote attackers to execute arbitrary code.

The following are the vulnerable versions of BIG-IP: : 14.1.0, 14.1.0.2.0.45.4 Hotfix-ENG, 14.1.0.2.0.62.4 Hotfix-ENG, 14.1.0.3.0.79.6-ENG Hotfix, 14.1.0.3.0.97.6-ENG Hotfix, 14.1.0.3.0.99.6-ENG Hotfix, 14.1.0.5.0.15.5-ENG Hotfix, 14.1.0.5.0.36.5-ENG Hotfix, 14.1.0.5.0.40.5-ENG Hotfix, 14.1.0.6.0.11.9-ENG Hotfix, 14.1.0.6.0.14.9-ENG Hotfix, 14.1.0.6.0.68.9-ENG Hotfix, 14.1.0.6.0.70.9-ENG Hotfix, 14.1.1, 14.1.2, 14.1.2-0.89.37, 14.1.2.0.11.37-ENG Hotfix, 14.1.2.0.18.37-ENG Hotfix, 14.1.2.0.32.37-ENG Hotfix, 14.1.2.1, 14.1.2.1.0.14.4-ENG Hotfix, 14.1.2.1.0.16.4-ENG Hotfix, 14.1.2.1.0.34.4-ENG Hotfix, 14.1.2.1.0.46.4-ENG Hotfix, 14.1.2.1.0.83.4 Hotfix-ENG, 14.1.2.1.0.97.4-ENG Hotfix, 14.1.2.1.0.99.4-ENG Hotfix, 14.1.2.1.0.105.4-ENG Hotfix, 14.1.2.1.0.111.4-ENG Hotfix, 14.1.2.1.0.115.4-ENG Hotfix, 14.1.2.1.0.122.4-ENG Hotfix, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.0.120.11, 14.1.4.2, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 16.0.0, 16.0.1, 16.0.1.1 y 16.0.1.1.9.6.

While the flaw can be exploited by unauthenticated threat actors, BIG-IP developers have not reported detection of active exploitation attempts or the presence of a malware variant associated with this attack. No patches have been released to address this vulnerability at this time, so users of affected deployments are encouraged to stay on top of any new F5 announcements.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.