F5 fixes high severity RCE bug in BIG-IP, BIG-IQ devices

Adam Bannister 16 November 2022 at 15:02 UTC
Updated: 16 November 2022 at 15:06 UTC

Widespread exploitation deemed ‘unlikely’ given hurdles

Security vendor F5 has prepared hotfixes for a pair of vulnerabilities affecting its BIG-IP and BIG-IQ networking devices that could result in remote code execution (RCE).

Software updates containing patches are also in the pipeline for the bugs, which despite potentially severe outcomes have significant barriers to exploitation.

F5 has assigned the most severe of the flaws a ‘high’ severity CVSS score of 8.8, but Rapid7 said this isn’t a “drop everything to fix” situation.

CSRF to RCE

The vulnerability (CVE-2022-41622) leaves BIG-IP and BIG-IQ vulnerable to unauthenticated RCE via cross-site request forgery (CSRF) because Big-IP’s SOAP API lacked CSRF protection and other typical SOAP API defenses, according to a blog post published today (November 16) by Ron Bowes, lead security researcher at Rapid7.

The attack “can grant persistent root access to the device’s management interface”, even when this interface is not internet-facing (as is recommended).

However, “that requires a confluence of factors to actually be exploitable (an administrator with an active session would need to visit a hostile website, and an attacker would have to have some knowledge of the target network)”, said Bowes.

Read more of the latest enterprise security news

If these prerequisites are met, miscreants can make arbitrary SOAP commands against the API within the authenticated user’s session.

Bowes, who uncovered the flaws, said “several of the exploit paths require SELinux bypasses” – which he duly found.

The second issue, tracked as CVE-2022-41800, means iControl REST is vulnerable to RCE via RPM spec injection. However, Bowes considers the risk “low” given iControl REST is only vulnerable in appliance mode and attackers must be authenticated as administrators.

Exploit chain

Bowes also uncovered a trio of security control bypasses “that F5 does not consider vulnerabilities” but nevertheless have “a reasonable attack surface” for use as part of an exploit chain.

He said F5 had addressed a SELinux bypass arising through command injection in an update script but declined to assign a CVE.

“We disagree with their assessment because SELinux is a security boundary,” said Bowes.

“We’d normally consider this to be a very low-risk vulnerability, but because we used it as part of the exploit chain to turn CVE-2022-41622 into code execution, we believe it is important.”

Bowes also found a SELinux bypass via incorrect file context and a local privilege escalation via inadequate UNIX socket permissions.

RECOMMENDED BIG-IP: Proof-of-concept released for RCE vulnerability in F5 network management tool

F5 told The Daily Swig:

“As noted by Rapid7, there is no known way to exploit these issues without first bypassing existing security controls using an unknown or undiscovered mechanism. We know of no way in which an attacker would be able to take advantage of these issues at this time and therefore do not consider them vulnerabilities and did not issue CVEs.

“F5 is evaluating these issues as part of a defense-in-depth approach and will look to address them in future releases. We recommend customers adhere to security best practices to reduce any risk should design or threat models change in the future.”

Hotfixes, patches

F5 added: “We recommend customers check the security advisories on AskF5 to assess their exposure and get details on recommended mitigations. Engineering hotfixes are available on request for both CVEs, and these fixes will be included in future releases as quickly as possible.”

At the time of disclosure, F5 is apparently not aware of any active exploitation of the vulnerabilities. Rapid7 believes “widespread exploitation” is “unlikely”.

DON’T MISS Zendesk Explore flaws opened the door to account pillage