A number of safety vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ units that, if efficiently exploited, to utterly compromise affected methods.
Cybersecurity agency Rapid7 stated the failings could possibly be abused to distant entry to the units and defeat safety constraints. The problems impression BIG-IP variations 13.x, 14.x, 15.x, 16.x, and 17.x, and BIG-IQ Centralized Administration variations 7.x and eight.x.
The 2 high-severity points, which had been reported to F5 on August 18, 2022, are as follows –
- CVE-2022-41622 (CVSS rating: 8.8) – A cross-site request forgery (CSRF) vulnerability by iControl SOAP, resulting in unauthenticated distant code execution.
- CVE-2022-41800 (CVSS rating: 8.7) – An iControl REST vulnerability that might enable an authenticated person with an Administrator position to bypass Equipment mode restrictions.
“By efficiently exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker might achieve persistent root entry to the machine’s administration interface (even when the administration interface will not be internet-facing),” Rapid7 researcher Ron Bowes stated.
Nevertheless, it is price noting that such an exploit requires an administrator with an energetic session to go to a hostile web site.
Additionally recognized had been three completely different situations of safety bypass, which F5 stated can’t be exploited with out first breaking present safety limitations by a beforehand undocumented mechanism.
Ought to such a situation come up, an adversary with Superior Shell (bash) entry to the equipment might weaponize these weaknesses to execute arbitrary system instructions, create or delete information, or disable providers.
Whereas F5 has made no point out of any of the vulnerabilities being exploited in assaults, it is beneficial that customers apply the mandatory “engineering hotfix” launched by the corporate to mitigate potential dangers.
