A number of safety vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ units that, if efficiently exploited, to utterly compromise affected programs.
Cybersecurity agency Rapid7 mentioned the flaws could possibly be abused to distant entry to the units and defeat safety constraints.
The 2 high-severity points, which had been reported to F5 on August 18, 2022, are as follows –
- CVE-2022-41622 (CVSS rating: 8.8) – A cross-site request forgery (CSRF) vulnerability by iControl SOAP, resulting in unauthenticated distant code execution.
- CVE-2022-41800 (CVSS rating: 8.7) – An iControl REST vulnerability that might enable an authenticated consumer with an Administrator function to bypass Equipment mode restrictions.
“By efficiently exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker might acquire persistent root entry to the system’s administration interface (even when the administration interface isn’t internet-facing),” Rapid7 researcher Ron Bowes mentioned.
Nonetheless, it is value noting that such an exploit requires an administrator with an energetic session to go to a hostile web site.
Additionally recognized had been three totally different situations of safety bypass, which F5 mentioned can’t be exploited with out first breaking current safety obstacles by a beforehand undocumented mechanism.
Ought to such a situation come up, an adversary with Superior Shell (bash) entry to the equipment might weaponize these weaknesses to execute arbitrary system instructions, create or delete information, or disable providers.
Whereas F5 has made no point out of any of the vulnerabilities being exploited in assaults, it is really useful that customers apply the required patches to mitigate potential dangers.