Multiple security vulnerabilities have been disclosed in F5
BIG-IP and BIG-IQ devices that, if successfully exploited, to
completely compromise affected systems.
Cybersecurity firm Rapid7 said the flaws[1]
could be abused to remote access to the devices and defeat security
constraints.
The two high-severity issues, which were reported to F5 on
August 18, 2022, are as follows –
- CVE-2022-41622 (CVSS score: 8.8) – A
cross-site request forgery (CSRF[2]) vulnerability through
iControl SOAP, leading to unauthenticated remote code
execution. - CVE-2022-41800 (CVSS score: 8.7) – An iControl
REST vulnerability that could allow an authenticated user with an
Administrator role to bypass Appliance
mode[3] restrictions.
“By successfully exploiting the worst of the vulnerabilities
(CVE-2022-41622), an attacker could gain persistent root access to
the device’s management interface (even if the management interface
is not internet-facing),” Rapid7 researcher Ron Bowes said[4].
However, it’s worth noting that such an exploit requires an
administrator with an active session to visit a hostile
website.
Also identified were three different instances[5] of security bypass,
which F5 said cannot be exploited without first breaking existing
security barriers through a previously undocumented mechanism.
Should such a scenario arise, an adversary with Advanced Shell
(bash[6]) access to the appliance
could weaponize these weaknesses to execute arbitrary system
commands, create or delete files, or disable services.
While F5 has made no mention of any of the vulnerabilities being
exploited in attacks, it’s recommended that users apply the
necessary patches to mitigate potential risks.
References
Read more https://thehackernews.com/2022/11/high-severity-vulnerabilities-reported.html