F5 Fixes RCE Flaws in BIG-IP and BIG-IQ

Updated on 2022-11-18: F5 Big-IP vulnerabilities

Rapid7’s Ron Bowes published details on CVE-2022-41622 and CVE-2022-41800, two vulnerabilities in the Big-IP load balancer, patched this week by F5. Read more:

• CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures
• K97843387: Overview of F5 vulnerabilities (November 2022)

Overview: F5 Fixes RCE Flaws in BIG-IP and BIG-IQ

F5 has released updates to address two high-severity remote code execution vulnerabilities that affect its BIG-IP and BIG-IQ products. While the flaws are not trivial to exploit, they could be used to gain complete control of vulnerable devices. Researchers from Rapid7 found the vulnerabilities – an unauthenticated RCE via cross-site forgery on iControl SOAP and an authenticated RCE via RPM spec injection, impacting the iControl REST component – as well as “several bypasses of security controls that F5 does not consider vulnerabilities with a reasonable attack surface.”

Note

These are difficult to exploit, so you can do regression testing and plan your outage. Even so, don’t assume these are not exploitable; with the publishing of the fix and vulnerability, that is actively being worked. Implement the recommended mitigations from F5 to restrict access to the management interfaces from both the self IP address and your network until you can apply the updates. Consider leaving long term restrictions on where management connections to your F5’s can originate from.

Read more in

• CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures
• F5 fixes two remote code execution flaws in BIG-IP, BIG-IQ
• Remote Code Execution Vulnerabilities Found in F5 Products
• High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices
• K13325942: Appliance mode iControl REST vulnerability CVE-2022-41800
• K94221585: iControl SOAP vulnerability CVE-2022-41622