A number of safety vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ units that, if efficiently exploited, to fully compromise affected methods.
Cybersecurity agency Rapid7 mentioned the failings could possibly be abused to distant entry to the units and defeat safety constraints.
The 2 high-severity points, which had been reported to F5 on August 18, 2022, are as follows –
- CVE-2022-41622 (CVSS rating: 8.8) – A cross-site request forgery (CSRF) vulnerability via iControl SOAP, resulting in unauthenticated distant code execution.
- CVE-2022-41800 (CVSS rating: 8.7) – An iControl REST vulnerability that might permit an authenticated consumer with an Administrator function to bypass Equipment mode restrictions.
“By efficiently exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker might acquire persistent root entry to the machine’s administration interface (even when the administration interface will not be internet-facing),” Rapid7 researcher Ron Bowes mentioned.
Nevertheless, it is price noting that such an exploit requires an administrator with an energetic session to go to a hostile web site.
Additionally recognized had been three totally different cases of safety bypass, which F5 mentioned can’t be exploited with out first breaking current safety limitations via a beforehand undocumented mechanism.
Ought to such a state of affairs come up, an adversary with Superior Shell (bash) entry to the equipment might weaponize these weaknesses to execute arbitrary system instructions, create or delete information, or disable providers.
Whereas F5 has made no point out of any of the vulnerabilities being exploited in assaults, it is really helpful that customers apply the required patches to mitigate potential dangers.
