A number of safety vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ units that, if efficiently exploited, to utterly compromise affected techniques.
Cybersecurity agency Rapid7 mentioned the flaws could possibly be abused to distant entry to the units and defeat safety constraints. The problems impression BIG-IP variations 13.x, 14.x, 15.x, 16.x, and 17.x, and BIG-IQ Centralized Administration variations 7.x and eight.x.
The 2 high-severity points, which have been reported to F5 on August 18, 2022, are as follows –
- CVE-2022-41622 (CVSS rating: 8.8) – A cross-site request forgery (CSRF) vulnerability by means of iControl SOAP, resulting in unauthenticated distant code execution.
- CVE-2022-41800 (CVSS rating: 8.7) – An iControl REST vulnerability that would enable an authenticated person with an Administrator function to bypass Equipment mode restrictions.
“By efficiently exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker may achieve persistent root entry to the machine’s administration interface (even when the administration interface just isn’t internet-facing),” Rapid7 researcher Ron Bowes mentioned.
Nonetheless, it is price noting that such an exploit requires an administrator with an lively session to go to a hostile web site.
Additionally recognized have been three totally different cases of safety bypass, which F5 mentioned can’t be exploited with out first breaking current safety obstacles by means of a beforehand undocumented mechanism.
Ought to such a state of affairs come up, an adversary with Superior Shell (bash) entry to the equipment may weaponize these weaknesses to execute arbitrary system instructions, create or delete recordsdata, or disable companies.
Whereas F5 has made no point out of any of the vulnerabilities being exploited in assaults, it is beneficial that customers apply the required “engineering hotfix” launched by the corporate to mitigate potential dangers.