F5 BIG-IP Traffic Management User Interface (TMUI) RCE
Description
A critical remote code execution vulnerability exists in the Traffic Management User Interface (TMUI) of F5 BIG-IP systems running versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1. This vulnerability allows attackers to bypass authentication and execute arbitrary commands on the underlying system through directory traversal flaws in the web-based management interface. Both unauthenticated remote attackers and authenticated users with network access to the TMUI can exploit this vulnerability.
Remediation
Take immediate action to mitigate this critical vulnerability using the following steps:
1. Immediate Mitigation (Temporary): If immediate patching is not possible, block access to the TMUI interface (typically port 443) from untrusted networks using firewall rules or access control lists. Restrict management access to trusted IP addresses only.
2. Permanent Remediation: Upgrade to a patched version as specified in F5's security advisory K52145254. Consult the reference link for the specific fixed versions corresponding to your current release branch.
3. Post-Remediation: After patching, review system logs for indicators of compromise, including unusual authentication attempts, unexpected file modifications, or suspicious command execution. Change all administrative credentials and review user accounts for unauthorized additions.
4. Verification: Confirm the patch was successfully applied by checking the software version and testing that the vulnerability is no longer exploitable using the methods described in F5's advisory.