The vulnerability CVE-2022-41622 makes BIG-IP and BIG-IQ vulnerable to unauthenticated remote code execution (RCE) via cross-site request forgery due to Big-IP’s SOAP API lacking CSRF protection and other protective measures.
CVE-2022-41622 and CVE-2022-41800 Vulnerabilities
An attacker may trick users who have at least resource administrator role privilege and are authenticated through basic authentication in iControl SOAP into performing critical actions. An attacker can exploit this vulnerability only through the control plane, not through the data plane. If exploited, the vulnerability can compromise the complete system.
According to researcher Ron Bowes, SELinux bypasses are necessary for a few exploit paths.
The second vulnerability, identified as CVE-2022-41800, could be exploited in appliance mode, allowing an authenticated remote attacker to execute arbitrary code in iControl REST.
Which F5 Products are Vulnerable?
| CVE | Vulnerability | CVSS score | Affected products | Affected versions |
| CVE-2022-41622 | K94221585: iControl SOAP Vulnerability | 8.8 | BIG-IP (all modules) | 17.0.0 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 |
| BIG-IQ Centralized Management | 8.0.0 – 8.2.0 7.1.0 | |||
| CVE-2022-41800 | K13325942: Appliance mode iControl REST vulnerability | 8.7 | BIG-IP (all modules) | 17.0.0 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5 |
Mitigation
Hotfixes are available. Users are recommended to keep checking AskF5, as fixes for these vulnerabilities will be released soon.
Leave A Comment