Many vulnerabilities discovered today in NGINX Controller Agent

K43530108: The CVE-2020-27730 NGINX Handler Agent flaw

When calling a device, the NGINX Controller Agent does not use absolute routes.

This weakness makes it possible for a local attacker to increase privileges and run arbitrary code as the mechanism for the agent (root).

Threat advisory status Security advisory status

IND-16119 (NGINX) was assigned to this vulnerability by F5 Product Development.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |16.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |15.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|BIG-IP (LTM, AAM,  +------+----------+----------+          |      |          |
|Advanced WAF, AFM, |14.x  |None      |Not       |          |      |          |
|Analytics, APM,    |      |          |applicable|Not       |      |          |
|ASM, DDHD, DNS,    +------+----------+----------+vulnerable|None  |None      |
|FPS, GTM, Link     |13.x  |None      |Not       |          |      |          |
|Controller, PEM,   |      |          |applicable|          |      |          |
|SSLO)              +------+----------+----------+          |      |          |
|                   |12.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |3.x   |3.0.0 -   |3.10.0    |          |      |          |
|                   |      |3.9.0     |          |          |      |          |
|                   +------+----------+----------+          |      |NGINX     |
|NGINX Controller   |2.x   |2.0.0 -   |None      |High      |8.4   |Controller|
|                   |      |2.9.0     |          |          |      |Agent     |
|                   +------+----------+----------+          |      |          |
|                   |1.x   |1.0.1     |None      |          |      |          |
+-------------------+------+----------+----------+----------+--

The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

References:
auscert, bulletins