- F5 announced that the company has fixed the vulnerabilities in an engineering hotfix that is available for supported versions.
- The vulnerabilities were discovered and reported by researchers at Rapid7 on August 18 and fixed in November.
- The vulnerabilities affecting BIG-IP and BIG-IQ have CVSSv3 scores of 8.7 and 8.7, considered high severity.
F5 fixed multiple vulnerabilities in F5 BIG-IP and BIG-IQ devices running a customized distribution of CentOS. The vulnerabilities, discovered by Rapid7, are considered high-severity with CVSSv3 scores of 8.7 and 8.8. The issues have been fixed in an engineering hotfix available for supported versions of BIG-IP.
Reported on August
Rapid7 researchers reported the vulnerabilities to the company on August 18, 2022. Rapid7 also supported F5 in addressing them.
CVE-2022-41800: When running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Vulnerable products are:
- BIG-IP (all modules) 17.0.0
- BIG-IP (all modules) 16.1.0 – 16.1.3
- BIG-IP (all modules) 15.1.0 – 15.1.8
- BIG-IP (all modules) 14.1.0 – 14.1.5
- BIG-IP (all modules) 13.1.0 – 13.1.5
The advisory says,
« In Appliance mode, an authenticated user with valid user credentials assigned the Administrator role may be able to bypass Appliance mode restrictions. This is a control plane issue; there is no data plane exposure. Appliance mode is enforced by a specific license or may be enabled or disabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances. »
CVE-2022-41622: BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Vulnerable products are:
- BIG-IP (all modules) 17.0.0
- BIG-IP (all modules) 16.1.0 – 16.1.3
- BIG-IP (all modules) 15.1.0 – 15.1.8
- BIG-IP (all modules) 14.1.0 – 14.1.5
- BIG-IP (all modules) 13.1.0 – 13.1.5
- BIG-IQ Centralized Management 8.0.0 – 8.2.0
- BIG-IQ Centralized Management 7.1.0
The advisory says,
« An attacker may trick users who have at least resource administrator role privilege and are authenticated through basic authentication in iControl SOAP into performing critical actions. An attacker can exploit this vulnerability only through the control plane, not through the data plane. If exploited, the vulnerability can compromise the complete system. »