F5 fixed 2 high-severity Remote Code Execution bugs in its products

November 16, 2022  By Pierluigi Paganini


Researchers at cybersecurity firm Rapid7 have identified several vulnerabilities and other potential security issues affecting F5 products.

Rapid7 researchers discovered several vulnerabilities in F5 BIG-IP and BIG-IQ devices running a customized distribution of CentOS. The experts also discovered several bypasses of security controls that the security vendor F5 does not recognize as exploitable vulnerabilities.

The vulnerabilities discovered by the experts are:

CVE-2022-41622 is an unauthenticated remote code execution via cross-site request forgery (CSRF) that impacts BIG-IP and BIG-IQ products.

“An attacker may trick users who have at least resource administrator role privilege and are authenticated through basic authentication in iControl SOAP into performing critical actions. An attacker can exploit this vulnerability only through the control plane, not through the data plane. If exploited, the vulnerability can compromise the complete system.” reads the advisory published by the vendor.

CVE-2022-41800 is an authenticated remote code execution via RPM spec injection that resides in the Appliance mode iControl REST. In Appliance mode, an authenticated user with valid user credentials assigned the Administrator role can bypass Appliance mode restrictions.

“In Appliance mode, an authenticated user with valid user credentials assigned the Administrator role may be able to bypass Appliance mode restrictions. This is a control plane issue; there is no data plane exposure.” reads the advisory. “Appliance mode is enforced by a specific license or may be enabled or disabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances.”

The above vulnerabilities have been rated as high-severity.

Rapid7 reported both vulnerabilities to F5 on August 18, 2022, it also supported the vendor addressing them.

Below are the bypasses of security controls that F5 rejected because not exploitable:

  • ID1145045 – Local privilege escalation via bad UNIX socket permissions (CWE-269)
  • ID1144093 – SELinux bypass via incorrect file context (CWE-732)
  • ID1144057 – SELinux bypass via command injection in an update script (CWE-78)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BIG-IP)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Lazarus APT uses DTrack backdoor in attacks against LATAM and European orgs

 North Korea-linked Lazarus APT is using a new version of the DTrack backdoor in attacks aimed at organizations in Europe...