Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, will completely compromise the affected system.
Cybersecurity firm Rapid7 said: defect It can be used to remotely access devices and break security constraints. This issue affects BIG-IP versions 13.x, 14.x, 15.x, 16.x, and 17.x, and BIG-IQ Centralized Management versions 7.x and 8.x.
Two high-severity issues reported to F5 on August 18, 2022 are:
- CVE-2022-41622 (CVSS Score: 8.8) – Cross-Site Request Forgery (CSRF) Vulnerability via iControl SOAP could allow unauthenticated remote code execution.
- CVE-2022-41800 (CVSS Score: 8.7) – Vulnerability in iControl REST that can be bypassed by authenticated users with administrator role Appliance mode limit.
“By successfully exploiting the worst vulnerability (CVE-2022-41622), an attacker can gain permanent root access to a device’s management interface (unless the management interface is connected to the Internet). ),” said Rapid7 researcher Ron Bowes. Said.
Note, however, that such exploits require an administrator with an active session to visit a malicious website.
Also, it was identified 3 different instances F5 states that security bypasses cannot be exploited without first breaching existing security barriers through previously undocumented mechanisms.
If such a scenario occurs, enemies with advanced shells (bash) access to the appliance can weaponize these vulnerabilities to execute arbitrary system commands, create or delete files, or disable services.
F5 does not mention any vulnerabilities being exploited in attacks, but recommends applying the necessary patches as they become available to mitigate potential risks.