Multiple safety vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ gadgets that, if efficiently exploited, to fully compromise affected techniques.
Cybersecurity agency Rapid7 mentioned the flaws might be abused to distant entry to the gadgets and defeat safety constraints. The points influence BIG-IP variations 13.x, 14.x, 15.x, 16.x, and 17.x, and BIG-IQ Centralized Management variations 7.x and eight.x.
The two high-severity points, which have been reported to F5 on August 18, 2022, are as follows –
- CVE-2022-41622 (CVSS rating: 8.8) – A cross-site request forgery (CSRF) vulnerability by iControl SOAP, resulting in unauthenticated distant code execution.
- CVE-2022-41800 (CVSS rating: 8.7) – An iControl REST vulnerability that would permit an authenticated person with an Administrator position to bypass Appliance mode restrictions.
“By efficiently exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker might acquire persistent root entry to the system’s administration interface (even when the administration interface just isn’t internet-facing),” Rapid7 researcher Ron Bowes mentioned.
However, it is value noting that such an exploit requires an administrator with an lively session to go to a hostile web site.
Also recognized have been three completely different cases of safety bypass, which F5 mentioned can’t be exploited with out first breaking present safety boundaries by a beforehand undocumented mechanism.
Should such a state of affairs come up, an adversary with Advanced Shell (bash) entry to the equipment might weaponize these weaknesses to execute arbitrary system instructions, create or delete information, or disable companies.
While F5 has made no point out of any of the vulnerabilities being exploited in assaults, it is really useful that customers apply the required “engineering hotfix” launched by the corporate to mitigate potential dangers.