Flash Notice: Two High-Severity Vulnerabilities Found in F5 BIG-IP and BIG-IQ Products

overview

This week, Rapid7 researchers discovered two high-severity vulnerabilities in F5 BIG-IP and BIG-IQ products running customized distribution of CentOS. CVE-2022-41622 is an unauthenticated remote code execution vulnerability impacting BIG-IP products, while CVE-2022-41800 is an authenticated remote code execution vulnerability impacting BIG-IQ products. 

According to F5, an attacker may exploit CVE-2022-41622 to trick users who have Resource Administrator role privileges and are authenticated through basic authentication in iControl SOAP. Even though the vulnerability can only be exploited through the control plane, an attacker can compromise the complete system if successful.  

Rapid7’s researchers stated that although CVE-2022-41622 is the more serious vulnerability, an attacker would only be successful if an administrator with an active session is tricked into visiting a malicious website with the same browser used for managing BIG-IP. The vulnerable versions of BIG-IP are as follows:  

• 13.1.0 – 13.1.5 
• 14.1.0 – 14.1.5 
• 15.1.0 – 15.1.8 
• 16.1.0 – 16.1.3 
• 17.0.0 

As for CVE-2022-41800, F5 stated that an authenticated attacker with valid user credentials assigned as Administrator may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. If successful, the vulnerability could allow the attacker to cross a security boundary. The vulnerable versions of BIG-IQ are as follows:  

• 7.1.0 
• 8.0.0 – 8.2.0 

Although F5 is not aware of any exploitation incidents, they still recommend that all impacted customers request the engineering hotfix for their product version from F5 and install the hotfix manually.  

How Avertium is Protecting Our CUSTOMERS

• Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is great than the sum of its parts. 
• Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident.  
• Avertium offers Vulnerability Management to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.  

Avertium's recommendations    

F5 Recommends the following to mitigate CVE-2022-41622: 

BIG-IP mitigation 

• For the BIG-IP system only, restrict access to the system's iControl SOAP API to only trusted users. If you are not using the iControl SOAP API, then you can disable all access by setting the iControl SOAP API allowed list to an empty list. To do so, perform the following procedure: 

1. Log in to tmsh by entering the following command: tmsh 
2. Remove all IP addresses or range of IP addresses from the list of allowed addresses by entering the following command: modify /sys icontrol-soap allow replace-all-with { } 
3. Save the change by entering the following command: save /sys config 

• You can find further mitigation instruction in F5’s advisory.  

F5 recommends the following to mitigate CVE-2022-41800 until you can install the fixed version:  

BIG-IQ mitigation  

• Block iControl REST access through the self IP address 
• Block iControl REST access through the management interface 
• You can find further mitigation instruction in F5’s advisory.  

INDICATORS OF COMPROMISE (IOCS):

At this time, there are no known IoCs associated with CVE-2022-41622 and CVE-2022-41800. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

SUPPORTING DOCUMENTATION

F5 fixed 2 high-severity RCE bugs in its productsSecurity Affairs 

Appliance mode iControl REST vulnerability CVE-2022-41800 (f5.com) 

iControl SOAP vulnerability CVE-2022-41622 (f5.com) 

F5 fixes two remote code execution flaws in BIG-IP, BIG-IQ (bleepingcomputer.com)