F5 fixes high severity RCE bug in BIG-IP, BIG-IQ devices

Adam Bannister November 16, 2022 at 15:02 UTC

Updated: November 16, 2022 at 15:06 UTC

Widespread exploitation deemed “unlikely” given the obstacles

Security vendor F5 has prepared patches for a pair of vulnerabilities affecting its BIG-IP and BIG-IQ network devices that could lead to remote code execution (RCE).

Software updates containing fixes are also in the works for bugs, which, despite potentially serious results, present significant obstacles to exploitation.

F5 gave the most serious of the faults a “high” CVSS severity score of 8.8, but Rapid7 said it was not a “drop everything to fix” situation.

CSRF to RCE

The vulnerability (CVE-2022-41622) makes BIG-IP and BIG-IQ vulnerable to unauthenticated RCE via Cross-Site Request Forgery (CSRF) because Big-IP’s SOAP API lacked CSRF protection and other typical defenses of the SOAP API, according to a blog post published today (November 16) by Ron Bowes, Principal Security Researcher at Rapid7.

The attack “may grant persistent root access to the device’s management interface”, even when this interface is not accessible over the Internet (as recommended).

However, “it requires a confluence of factors to be truly exploitable (an administrator with an active session would need to visit a hostile website, and an attacker would need to have some knowledge of the target network),” Bowes said.

Learn about the latest enterprise security news

If these prerequisites are met, attackers can execute arbitrary SOAP commands on the API in the authenticated user’s session.

Bowes, who discovered the flaws, said “several of the exploit paths require SELinux workarounds” – which he duly found.

The second issue, tracked as CVE-2022-41800, means that iControl REST is vulnerable to RCE via RPM spec injection. However, Bowes considers the risk to be “low” given that iControl REST is only vulnerable in appliance mode and attackers must be authenticated as administrators.

Chain of operation

Bowes also discovered a trio of security check bypasses “that F5 doesn’t take into account vulnerabilities” but still have “a reasonable attack surface” to use as part of an exploit chain.

He said F5 fixed an SELinux workaround that resulted from injecting commands into an update script, but refused to assign a CVE.

“We disagree with their assessment because SELinux is a security frontier,” Bowes said.

“We would normally consider this a very low risk vulnerability, but as we used it as part of the exploit chain to turn CVE-2022-41622 into code execution, we believe that it is important.”

Bowes also found an SELinux workaround via incorrect file context and local elevation of privilege via inadequate UNIX socket permissions.

RECOMMENDED BIG-IP: Proof of Concept Released for RCE Vulnerability in F5 Network Management Tool

F5 says The daily sip:

“As noted by Rapid7, there is no known way to exploit these issues without first circumventing existing security controls using an unknown or undiscovered mechanism. We are not aware of any means by which an attacker could take advantage of these issues at this time and therefore do not consider them vulnerabilities and have not issued a CVE.

“F5 is evaluating these issues as part of a defense-in-depth approach and will seek to resolve them in future releases. We recommend that customers adhere to security best practices to reduce any risk if the design or patterns of threat were to change in the future.

Fixes, fixes

F5 added: “We recommend that customers review the security advisories on AskF5 to assess their exposure and obtain details of recommended mitigation measures. Engineering fixes are available on request for both CVEs, and these fixes will be included in future releases as soon as possible.

At the time of disclosure, F5 is apparently unaware of any active exploitation of the vulnerabilities. Rapid7 considers “widespread exploitation” to be “unlikely”.

DO NOT MISS Zendesk Explore flaws have opened the door to account plunder


Source link