Cert-In - Home Page

CERT-In Vulnerability Note CIVN-2022-0245
Multiple Vulnerabilities in F5 Products

Original Issue Date:May 24, 2022

Severity Rating: HIGH

Software Affected

F5 BIG-IP APM Clients versions (13.x, 14.x, 15.x, 16.x, 17.x)
F5 BIG-IP (all modules) versions (17.0.0, 16.1.2, 16.1.1, 16.1.0, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0)
F5 BIG-IQ Centralized Management versions (8.2.0, 8.1.0, 8.0.0, 7.1.0, 7.0.0)
F5OS, F5OS-C, F5OS-A versions (1.3.2, 1.3.1, 1.3.0, 1.2.2, 1.2.1, 1.2.0, 1.1.4, 1.1.3, 1.1.2, 1.1.1, 1.1.0, 1.0.1, 1.0.0)
F5 Traffix SDC versions (5.2.0, 5.1.0)
F5 App Protect, F5 SSL Orchestrator, F5 DDoS Hybrid Defender versions (17.0.0, 16.1.1, 16.1.0, 15.1.1, 15.1.0, 14.1.4, 14.1.2, 14.1.0)

Overview

Multiple vulnerabilities have been reported in F5 products which could be exploited by a remote attacker to execute arbitrary code or cause denial of service conditions on a targeted system.

Description

1. zlib Memory Corruption Vulnerability ( CVE-2018-25032   )

This vulnerability exists in zlib library used by F5 products due to a memory corruption in the deflate operation (i.e., when compressing) if the input has many distant matches.
Successful exploitation of this vulnerability could allow the attacker to cause denial of service conditions on the targeted system.

2. Diffie-Hellman Key Agreement Protocol Vulnerability ( CVE-2002-20001   )

This vulnerability exists in F5 products due to improper input validation. A remote attacker could exploit this vulnerability by sending specially-crafted input to the affected system.
Successful exploitation of this vulnerability could allow a remote attacker to trigger expensive server-side DHE modular-exponentiation calculations, also known as a D(HE)ater attack to cause denial of service conditions on the targeted system.

3. DHCP Stack-overflow Vulnerability ( CVE-2021-25217   )

This vulnerability exists in F5 products due to improper parsing of data with colon-separated hex digits in config or lease files in dhcpd and dhclient. A network adjacent attacker could exploit this vulnerability by supplying crafted input files to the affected system.
Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the targeted system.

Solution

Apply appropriate updates as mentioned security advisory:
https://support.f5.com/csp/article/K21548854

https://support.f5.com/csp/article/K83120834

https://support.f5.com/csp/article/K08832573

Vendor Information

https://support.f5.com/csp/article/K21548854
https://support.f5.com/csp/article/K83120834
https://support.f5.com/csp/article/K08832573

CVE Name
CVE-2018-25032
CVE-2002-20001
CVE-2021-25217

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India