F5 fixed 2 high-severity Remote Code Execution bugs in its products

Researchers at cybersecurity firm Rapid7 have identified several vulnerabilities and other potential security issues affecting F5 products.

Rapid7 researchers discovered several vulnerabilities in F5 BIG-IP and BIG-IQ devices running a customized distribution of CentOS. The experts also discovered several bypasses of security controls that the security vendor F5 does not recognize as exploitable vulnerabilities.

The vulnerabilities discovered by the experts are:

CVE-2022-41622 is an unauthenticated remote code execution via cross-site request forgery (CSRF) that impacts BIG-IP and BIG-IQ products.

“An attacker may trick users who have at least resource administrator role privilege and are authenticated through basic authentication in iControl SOAP into performing critical actions. An attacker can exploit this vulnerability only through the control plane, not through the data plane. If exploited, the vulnerability can compromise the complete system.” reads the advisory published by the vendor.

CVE-2022-41800 is an authenticated remote code execution via RPM spec injection that resides in the Appliance mode iControl REST. In Appliance mode, an authenticated user with valid user credentials assigned the Administrator role can bypass Appliance mode restrictions.

“In Appliance mode, an authenticated user with valid user credentials assigned the Administrator role may be able to bypass Appliance mode restrictions. This is a control plane issue; there is no data plane exposure.” reads the advisory. “Appliance mode is enforced by a specific license or may be enabled or disabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances.”

The above vulnerabilities have been rated as high-severity.

Rapid7 reported both vulnerabilities to F5 on August 18, 2022, it also supported the vendor addressing them.

Below are the bypasses of security controls that F5 rejected because not exploitable:

• ID1145045 – Local privilege escalation via bad UNIX socket permissions (CWE-269)
• ID1144093 – SELinux bypass via incorrect file context (CWE-732)
• ID1144057 – SELinux bypass via command injection in an update script (CWE-78)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BIG-IP)

[adrotate banner=”5″]

[adrotate banner=”13″]