F5 fixes two remote code execution flaws in BIG-IP, BIG-IQ



F5 has released hotfixes for its BIG-IP and BIG-IQ products, addressing two high-severity flaws allowing attackers to perform unauthenticated remote code execution (RCE) on vulnerable endpoints.

While these flaws require specific criteria to exist, making them very difficult to exploit, F5 warns that it could lead to a complete compromise of the devices.

The first flaw is tracked as CVE-2022-41622 (CVSS v3 – 8.8) and is an unauthenticated RCE via cross-site forgery on iControl SOAP, impacting multiple BIG-IP and BIG-IQ versions.

“An attacker may trick users who have at least resource administrator role privilege and are authenticated through basic authentication in iControl SOAP into performing critical actions,” describes F5’s advisory.

“If exploited, the vulnerability can compromise the complete system.”

The second flaw is CVE-2022-41800 (CVSS v3 – 8.7), an authenticated RCE via RPM spec injection, impacting the iControl REST component.

The vulnerable BIG-IP versions are:

  • 13.1.0 – 13.1.5
  • 14.1.0 – 14.1.5
  • 15.1.0 – 15.1.8
  • 16.1.0 – 16.1.3
  • 17.0.0

For BIG-IQ, the impacted versions are:

Impacted customers are recommended to request the engineering hotfix for their product version from F5 and install it manually.

To resolve CVE-2022-41622, admins should also disable Basic Authentication for iControl SOAP after installing the hotfix.

Technical details released

The vulnerabilities were discovered by researchers at Rapid7 in July 2022 and reported to F5 in August 2022.

Yesterday, Rapid7 published a detailed report on the flaws disclosing the technical details of the vulnerabilities.

“By successfully exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker could gain persistent root access to the device’s management interface (even if the management interface is not internet-facing),” explains the report by Rapid7.

However, for such an attack to work, an administrator with an active session would have to be lured into visiting a malicious website with the same browser used for managing BIG-IP.

Furthermore, the attacker would need to know the address of the targeted BIG-IP instance to enact the cross-site request forgery against the admin.

Due to this, Rapid7 researcher Ron Bowes believes that it is unlikely that the vulnerabilities will receive widespread exploitation.

For CVE-2022-41800, the attacker would have to be authenticated with ‘Resource Admin’ or higher privileges, so the impact isn’t as critical.

F5 is unaware of any exploitation incidents involving either vulnerabilities disclosed by Rapid7.

The analysts have published extensive technical details, including a proof of concept exploit for CVE-2022-41622, so it is important to address the vulnerabilities as soon as possible.

Apart from the two high-severity flaws, Rapid7 also discovered several security control (SELinux) bypass methods, but these will not be fixed as the vendor didn’t consider them practically exploitable.