F5 released patches for vulnerabilities affecting its BIG-IP and BIG-IQ networking devices that could result in remote code execution (RCE).
The vulnerability CVE-2022-41622 leaves BIG-IP and BIG-IQ vulnerable to unauthenticated RCE via cross-site request forgery because Big-IP’s SOAP API lacked CSRF protection and other typical SOAP API defenses.
The attack “can grant persistent root access to the device’s management interface”, even when this interface is not internet-facing. If these prerequisites are met, miscreants can make arbitrary SOAP commands against the API within the authenticated user’s session.
The second issue, tracked as CVE-2022-41800, means iControl REST is vulnerable to RCE via RPM spec injection. However, the risk is “low” given iControl REST is only vulnerable in appliance mode and attackers must be authenticated as administrators.
Researchers also uncovered a trio of security control bypasses “that F5 does not consider vulnerabilities” but nevertheless has “a reasonable attack surface” for use as part of an exploit chain. F5 had addressed an SELinux bypass arising through command injection in an update script but declined to assign a CVE.
F5 recommends customers check the security advisories on AskF5 to assess their exposure and get details on recommended mitigations. Engineering hotfixes are available on request for both CVEs, and these fixes will be included in future releases as quickly as possible.F5 is apparently not aware of any active exploitation of the vulnerabilities.