A proactive approach to F5 vulnerabilities
Network Compliance 1 min read

A proactive approach to F5 vulnerabilities

Picture of Jeroen Bosch

Jeroen Bosch on April 11, 2023

The recent history of F5 attacks has taught us that you can't protect yourself after the attack has started. You have to take a proactive approach.

Recently F5 announced new CVEs, and in this blog I will show you how to translate these into compliance policies within NetYCE so you can test your nodes with ease.

I will be using the following one as example, “iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986” which states a list of versions known to be vulnerable, and also the version numbers where the fix in question has been introduced.

Security Advisory Status

Using this information supplied by F5 we create a policy which checks the versions of our F5 nodes to ensure we are compliant and not vulnerable to this CVE. This looks like this:

Edit policy

The versions known to be vulnerable are copied into the condition.Make sure to select the “SoftwareVersion” type in the top right corner, and check the box next to “Lines contain regular expressions” when creating this condition.

Edit Condition

This looks all good, but we already know that new firmware versions will be released,  so just checking for these values won't make sense if we want to take a more proactive approach. We would rather create a policy that is future proof.

To do this, instead of using the “Must contain” option in the condition we click the pulldown box and select the “Must not contain” option to exclude certain software versions from being compliant: the CVE supplies us with a clear indication of the versions firmware known to be vulnerable. This regular expression will match all firmware versions known to be vulnerable, and again, note the checkbox next to “Lines contain regular expressions”:

Edit conditionIf you set up policies in this way, the report will proactively check your network and give immediate insight into what actions have to be taken to mitigate the issues found. Result: a safe and secure network!

Picture of Jeroen Bosch

Jeroen Bosch

Jeroen is a dedicated Support Engineer at NetYCE that likes to help people get the best from NetYCE. He supports both customers and Solution Architects at NetYCE, while also testing the software to make sure the code does what it should do. Next to this, Jeroen is responsible for the development of the vendor modules that enable seamless communication with all types of networks. Jeroen likes nature, cooking, and photography and is part of a light art team when he's not working.