Two high-severity vulnerabilities are disclosed in F5, affecting the F5 BIG-IP and BIG-IQ devices that can lead to a complete compromise of the system. These vulnerabilities are tracked as CVE-2022-41622 and CVE-2022-41800. Tracking these vulnerabilities is done by a vulnerability management tool.
However, a patch management solution can remediate them.
Technical Details of F5 BIG-IP and BIG-IQ
CVE-2022-41622: Unauthenticated Remote Code Execution in SOAP API via CSRF
The SOAP API endpoint /iControl/iControlPortal.cgi for F5 Big-IP doesn’t have cross-site request forgery (CSRF) protection, and neither does it require a proper Content-Type or other typical SOAP API security measures.
An attacker executes arbitrary SOAP commands against the F5 Big-IP SOAP API in authorizing a user’s session if the user visits an attacker-controlled website or is sent there via an open redirect or cross-site scripting. This might result in remote code execution in several ways, as shown in a proof-of-concept.
iControlPortal.cgi, the API endpoint for SOAP requests, is a SetUID root CGI script that runs as root and is located at /iControl/iControlPortal.cgi endpoint.
ls -l /usr/local/www/iControl/iControlPortal.cgi
-rwsr-xr-x. 1 root root 2931172 Jul 15 01:13 /usr/local/www/iControl/iControlPortal.cgi
For successful exploitation, an active session administrator would lure into visiting a malicious website with the same browser used for managing BIG-IP. Additionally, to perform the cross-site request forgery against the administrator, the attacker would require the address of the targeted BIG-IP instance.
CVE-2022-41800: Authenticated Remote Code Execution via RPM Spec Injection
The administrator-only endpoint of the JSON API for F5 Big-IP creates an RPM specification file (.rpmspec). Another administrator-only endpoint uses that file to produce an RPM file. Both endpoints are vulnerable to injection attacks into the RPM spec file, where newlines could use to insert new fields into the specification.
Noting that an attacker may include shell commands that executes when producing the resulting RPM file. This enables authorized administrators to execute shell commands on an endpoint that is designs or explicitly stated to support such capabilities. These administrators may be malicious insiders, users of compromised accounts, etc.
An administrator login is for successful exploitation, and endpoints such as /mgmt/tm/util/bash should be capable of executing shell commands by design. This technique can bypass blocklists or alerts that an administrator might set up for the well-known bash endpoint.
Impact of F5 BIG-IP and BIG-IQ
CVE-2022-41622: By successfully exploiting this flaw, an attacker could gain persistent root access to the device’s management interface even if the management interface is not internet-facing.
CVE-2022-41800: An attacker with admin privileges can execute arbitrary shell commands via RPM specification files by exploiting this flaw. The impact isn’t as severe because the attacker is authorize with “Resource Admin” or higher rights.
Affected Products in F5 BIG-IP and BIG-IQ
The vulnerable BIG-IP versions are:
- BIG-IP versions 13.1.0 – 13.1.5
- BIG-IP versions 14.1.0 – 14.1.5
- BIG-IP versions 15.1.0 – 15.1.8
- BIG-IP versions 16.1.0 – 16.1.3
- BIG-IP version 17.0.0
The vulnerable BIG-IQ versions are:
- BIG-IQ version 7.1.0
- BIG-IQ versions 8.0.0 – 8.2.0
Solution
- Affects customers are advises to contact F5, request the engineering hotfix for their product version, and manually install it.
- To resolve CVE-2022-41622, admins should also disable Basic Authentication for iControl SOAP after installing the hotfix.
SanerNow Network Scanner detects these vulnerabilities. Use SanerNow and keep your systems updated and secure.