Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems.
Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints. The issues impact BIG-IP versions 13.x, 14.x, 15.x, 16.x, and 17.x, and BIG-IQ Centralized Management versions 7.x and 8.x.
The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -
- CVE-2022-41622 (CVSS score: 8.8) - A cross-site request forgery (CSRF) vulnerability through iControl SOAP, leading to unauthenticated remote code execution.
- CVE-2022-41800 (CVSS score: 8.7) - An iControl REST vulnerability that could allow an authenticated user with an Administrator role to bypass Appliance mode restrictions.
"By successfully exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker could gain persistent root access to the device's management interface (even if the management interface is not internet-facing)," Rapid7 researcher Ron Bowes said.
However, it's worth noting that such an exploit requires an administrator with an active session to visit a hostile website.
Also identified were three different instances of security bypass, which F5 said cannot be exploited without first breaking existing security barriers through a previously undocumented mechanism.
Should such a scenario arise, an adversary with Advanced Shell (bash) access to the appliance could weaponize these weaknesses to execute arbitrary system commands, create or delete files, or disable services.
While F5 has made no mention of any of the vulnerabilities being exploited in attacks, it's recommended that users apply the necessary "engineering hotfix" released by the company to mitigate potential risks.