Excessive Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Units

A number of safety vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ units that, if efficiently exploited, to utterly compromise affected techniques.

Cybersecurity agency Rapid7 mentioned the flaws may very well be abused to distant entry to the units and defeat safety constraints. The problems affect BIG-IP variations 13.x, 14.x, 15.x, 16.x, and 17.x, and BIG-IQ Centralized Administration variations 7.x and eight.x.

The 2 high-severity points, which had been reported to F5 on August 18, 2022, are as follows –

• CVE-2022-41622 (CVSS rating: 8.8) – A cross-site request forgery (CSRF) vulnerability by means of iControl SOAP, resulting in unauthenticated distant code execution.
• CVE-2022-41800 (CVSS rating: 8.7) – An iControl REST vulnerability that would permit an authenticated person with an Administrator function to bypass Equipment mode restrictions.

“By efficiently exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker might acquire persistent root entry to the system’s administration interface (even when the administration interface will not be internet-facing),” Rapid7 researcher Ron Bowes mentioned.

Nonetheless, it is price noting that such an exploit requires an administrator with an energetic session to go to a hostile web site.

Additionally recognized had been three completely different situations of safety bypass, which F5 mentioned can’t be exploited with out first breaking present safety limitations by means of a beforehand undocumented mechanism.

Ought to such a state of affairs come up, an adversary with Superior Shell (bash) entry to the equipment might weaponize these weaknesses to execute arbitrary system instructions, create or delete recordsdata, or disable companies.

Whereas F5 has made no point out of any of the vulnerabilities being exploited in assaults, it is really helpful that customers apply the required “engineering hotfix” launched by the corporate to mitigate potential dangers.