Consultants from Rapid7 noticed a custom-made CentOS set up working on F5 BIG-IP and BIG-IQ units discovered to have varied vulnerabilities.
Whereas the opposite flaws are safety bypass strategies that F5 doesn’t think about vulnerabilities, two of the vulnerabilities have been categorized as high-severity distant code execution vulnerabilities and given CVE IDs.
Vulnerabilities Found
The primary high-severity flaw is tracked as (CVE-2022-41622) is an unauthenticated distant code execution through cross-site request forgery (CSRF) that impacts BIG-IP and BIG-IQ merchandise.
On this case, even when a tool’s administration interface isn’t uncovered to the web, exploitation can nonetheless allow a distant, unauthenticated attacker to get root entry.
“An attacker might trick customers who’ve at the very least useful resource administrator function privilege and are authenticated via primary authentication in iControl SOAP into performing vital actions. An attacker can exploit this vulnerability solely via the management aircraft, not via the information aircraft. If exploited, the vulnerability can compromise the entire system.” reads the advisory printed by F5.
The report says exploitation requires the attacker to be accustomed to the focused community and to persuade an administrator who’s logged in to go to a malicious web site that’s designed to take advantage of.
This assault can’t be prevented you probably have authenticated to iControl SOAP within the internet browser with primary authentication. This authentication mechanism is unusual and is totally different from utilizing the login web page for the Configuration utility.
F5 advises in opposition to utilizing primary authentication for internet browser authentication. Don’t enter credentials if an online browser authentication popup is on the internet browser.
The second high-severity flaw, (CVE-2022-41800), permits an attacker with administrative rights to execute arbitrary shell instructions through RPM specification information.
It resides within the Equipment mode iControl REST and is an authenticated distant code execution through RPM spec injection. An authenticated person with acceptable person credentials assigned to the Administrator function can bypass restrictions in Equipment mode.
“In Equipment mode, an authenticated person with legitimate person credentials assigned the Administrator function could possibly bypass Equipment mode restrictions. It is a management aircraft problem; there isn’t any knowledge aircraft publicity”, reads the advisory
“Equipment mode is enforced by a selected license or could also be enabled or disabled for particular person Digital Clustered Multiprocessing (vCMP) visitor situations”.
On this case, F5 recommends momentary mitigations that cut back the risk floor by limiting entry to iControl REST to solely reliable networks or units.
With a view to entry a extremely privileged administrative account, the attacker should possess the right credentials. Consequently, limiting entry may nonetheless go away the system weak to lateral motion from a hacked system inside the trusted vary or insider risk.
The next are the bypasses of safety controls that F5 rejected as a result of not exploitable, together with two SELinux bypass strategies and a neighborhood privilege escalation through dangerous UNIX socket permissions.
Managed DDoS Assault Safety for Functions – Obtain Free Information