admin A number of safety vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ gadgets that, if efficiently exploited, to utterly compromise affected techniques.
Cybersecurity agency Rapid7 mentioned the flaws may very well be abused to distant entry to the gadgets and defeat safety constraints. The problems impression BIG-IP variations 13.x, 14.x, 15.x, 16.x, and 17.x, and BIG-IQ Centralized Administration variations 7.x and eight.x.
The 2 high-severity points, which had been reported to F5 on August 18, 2022, are as follows –
- CVE-2022-41622 (CVSS rating: 8.8) – A cross-site request forgery (CSRF) vulnerability by iControl SOAP, resulting in unauthenticated distant code execution.
- CVE-2022-41800 (CVSS rating: 8.7) – An iControl REST vulnerability that would enable an authenticated consumer with an Administrator function to bypass Appliance mode restrictions.
“By efficiently exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker may acquire persistent root entry to the gadget’s administration interface (even when the administration interface isn’t internet-facing),” Rapid7 researcher Ron Bowes said.
Nevertheless, it is value noting that such an exploit requires an administrator with an energetic session to go to a hostile web site.
Additionally recognized had been three different instances of safety bypass, which F5 mentioned can’t be exploited with out first breaking current safety obstacles by a beforehand undocumented mechanism.
Ought to such a situation come up, an adversary with Superior Shell (bash) entry to the equipment may weaponize these weaknesses to execute arbitrary system instructions, create or delete recordsdata, or disable providers.
Whereas F5 has made no point out of any of the vulnerabilities being exploited in assaults, it is really useful that customers apply the mandatory patches as and after they develop into accessible to mitigate potential dangers.
