Two high-severity vulnerabilities are disclosed in F5, affecting the F5 BIG-IP and BIG-IQ devices that can lead to a complete compromise of the system. These vulnerabilities are tracked as CVE-2022-41622 and CVE-2022-41800.
CVE-2022-41622: Unauthenticated Remote Code Execution in SOAP API via CSRF
The SOAP API endpoint /iControl/iControlPortal.cgi for F5 Big-IP doesn’t have cross-site request forgery (CSRF) protection, and neither does it require a proper Content-Type or other typical SOAP API security measures.
An attacker can execute arbitrary SOAP commands against the F5 Big-IP SOAP API in an authorized user’s session if the user visits an attacker-controlled website or is sent there via an open redirect or cross-site scripting. This might result in remote code execution in several ways, as shown in a proof-of-concept.
iControlPortal.cgi, the API endpoint for SOAP requests, is a SetUID root CGI script that runs as root and is located at /iControl/iControlPortal.cgi endpoint.
ls -l /usr/local/www/iControl/iControlPortal.cgi
-rwsr-xr-x. 1 root root 2931172 Jul 15 01:13 /usr/local/www/iControl/iControlPortal.cgi
For successful exploitation, an active session administrator would have to be lured into visiting a malicious website with the same browser used for managing BIG-IP. Additionally, to perform the cross-site request forgery against the administrator, the attacker would require the address of the targeted BIG-IP instance.
CVE-2022-41800: Authenticated Remote Code Execution via RPM Spec Injection
The administrator-only endpoint of the JSON API for F5 Big-IP creates an RPM specification file (.rpmspec). Another administrator-only endpoint uses that file to produce an RPM file. Both endpoints are vulnerable to injection attacks into the RPM spec file, where newlines could be used to insert new fields into the specification.
It should be noted that an attacker may include shell commands that would be executed when the resulting RPM file is produced. This would enable authorized administrators to execute shell commands on an endpoint that is not designed or explicitly stated to support such capabilities. These administrators may be malicious insiders, users of compromised accounts, etc.
An administrator login is required for successful exploitation, and endpoints such as /mgmt/tm/util/bash should be capable of executing shell commands by design. This technique can bypass blocklists or alerts that an administrator might set up for the well-known bash endpoint.
CVE-2022-41622: By successfully exploiting this flaw, an attacker could gain persistent root access to the device’s management interface even if the management interface is not internet-facing.
CVE-2022-41800: An attacker with admin privileges can execute arbitrary shell commands via RPM specification files by exploiting this flaw. The impact isn’t as severe because the attacker would need to be authorized with “Resource Admin” or higher rights.
The vulnerable BIG-IP versions are:
- BIG-IP versions 13.1.0 – 13.1.5
- BIG-IP versions 14.1.0 – 14.1.5
- BIG-IP versions 15.1.0 – 15.1.8
- BIG-IP versions 16.1.0 – 16.1.3
- BIG-IP version 17.0.0
The vulnerable BIG-IQ versions are:
- BIG-IQ version 7.1.0
- BIG-IQ versions 8.0.0 – 8.2.0
- Customers affected are advised to contact F5, request the engineering hotfix for their product version, and manually install it.
- To resolve CVE-2022-41622, admins should also disable Basic Authentication for iControl SOAP after installing the hotfix.