Recently F5 announced new CVEs, and in this blog I will show you how to translate these into compliance policies within NetYCE so you can test your nodes with ease.
I will be using the following one as example, “iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986” which states a list of versions known to be vulnerable, and also the version numbers where the fix in question has been introduced.
Using this information supplied by F5 we create a policy which checks the versions of our F5 nodes to ensure we are compliant and not vulnerable to this CVE. This looks like this:
The versions known to be vulnerable are copied into the condition.Make sure to select the “SoftwareVersion” type in the top right corner, and check the box next to “Lines contain regular expressions” when creating this condition.
This looks all good, but we already know that new firmware versions will be released, so just checking for these values won't make sense if we want to take a more proactive approach. We would rather create a policy that is future proof.
To do this, instead of using the “Must contain” option in the condition we click the pulldown box and select the “Must not contain” option to exclude certain software versions from being compliant: the CVE supplies us with a clear indication of the versions firmware known to be vulnerable. This regular expression will match all firmware versions known to be vulnerable, and again, note the checkbox next to “Lines contain regular expressions”:
If you set up policies in this way, the report will proactively check your network and give immediate insight into what actions have to be taken to mitigate the issues found. Result: a safe and secure network!