If exploited, allows attackers to take full control over a vulnerable system…
CVEs: 22986, 22987, 22991, 22992
The 2 most critical vulnerabilities allow a remote attacker with access to the user interface (or REST API via the user interface) to gain full control of the system and execute arbitrary system commands, create or delete files, and disable services. The most critical is unauthenticated. Exploitation can lead to complete system compromise. The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged companies using BIG-IP and BIG-IQ to fix the critical F5 flaws.
The 2 most critical vulnerabilities allow a remote attacker with access to the user interface (or REST API via the user interface) to gain full control of the system and execute arbitrary system commands, create or delete files, and disable services. The most critical is unauthenticated. Exploitation can lead to complete system compromise. The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged companies using BIG-IP and BIG-IQ to fix the critical F5 flaws.
https://www.f5.com/services/support/March2021_Vulnerabilities
FortiGuard Outbreak Alert
Big-IP & Big-IQ
Fortinet Products Summary
FortiGate
FortiProxy
FortiAnalyzer
Threat Hunting Report
IPS
IPS
Event Handler
Detects CVEs 2021-22986, 2021-22991 and 2021-22992.
(Not applicable to 2021-22987 which requires authentication)
(Not applicable to 2021-22987 which requires authentication)
18.044
18.044
6.2, 6.4
Services
Version
Other info
Same as FortiGate
Background
These are “in the wild” vulnerabilities for existing software - refer to versions listed by F5 to see if you
are impacted based on the versions you may be running. Details for the 2 most critical
vulnerabilities can be found in the big tables on these articles:
On March 10, F5 announced several vulnerabilities and strongly urged customers to upgrade:
https://www.f5.com/services/support/March2021_Vulnerabilities
F5 Annoucement
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
C2
Action
FortiGate
FortiProxy
Version Info: 18.044
Link: https://www.fortiguard.com/updates/ips?version=18.044
Other Info: Individual protections for each CVE:
FortiProxy
Version Info: 18.044
Link: https://www.fortiguard.com/updates/ips?version=18.044
Other Info: Individual protections for each CVE:
FortiGuard IPS Protection
FortiAnalyzer Event Hanlders & Reports
Version Info: 6.2, 6.4
Link: https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD51875
Other Info: Dete
Version Info: 6.2, 6.4
Link: https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD51875
Other Info: Dete
SIEM Rules & Reports
Version Info: 5.x, 6.x
Link: https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD51887
Other Info: Detects IPS indicators for these F5 Big-IP and Big-IQ vulnerabilities.
Version Info: 5.x, 6.x
Link: https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD51887
Other Info: Detects IPS indicators for these F5 Big-IP and Big-IQ vulnerabilities.
FortiAnalyzer Event Handlers & Reports
FortiSIEM Rules & Reports
Analyzer / SIEM / SOAR Threat Hunting & Playbooks
Incident Detection (Security Operations)
To help customers identify and protect vulnerable, FortiAnalyzer, FortiSIEM and FortiSOAR updates are
available to raise alerts and escalate to incident response:
Cyber Kill Chain
FortiSIEM
Rules & Threat Hunting Report
5.x, 6.x
On March 20, multiple stories reported the F5 vulnerabilities under “active attack”.
FortiGuard IPS protects against 3 of the 4 critical CVEs identified (the 4th being 22987 which requires authentication). FortiGuard Labs Threat Signal Report is available from:
FortiGuard IPS protects against 3 of the 4 critical CVEs identified (the 4th being 22987 which requires authentication). FortiGuard Labs Threat Signal Report is available from:
https://www.fortiguard.com/threat-signal-report/3891
Latest Developments
https://support.f5.com/csp/article/K18132488
Detects IPS indicators for these F5 Big-IP and Big-IQ vulnerabilities.
Detects IPS indicators for these F5 Big-IP and Big-IQ vulnerabilities.
https://support.f5.com/csp/article/K03009991
2021-22991: https://www.fortiguard.com/encyclopedia/ips/49979
2021-22986: https://www.fortiguard.com/encyclopedia/ips/50002
2021-22992: https://www.fortiguard.com/encyclopedia/ips/49976