F5 developers have released patches for BIG-IP and BIG-IQ products and the patches fixed two serious vulnerabilities that could allow unauthenticated attackers to remotely execute arbitrary code (RCE) on vulnerable endpoints.
Fortunately, exploitation of both problems requires certain conditions to be met, which makes these vulnerabilities difficult to exploit. However, F5 warns that successful exploitation can lead to complete compromise of devices.Let me remind you that we also reported that After publication of the attacks, information security experts record massive on vulnerabilities in F5 BIG-IP, and also that, for example, REvil and Maze hacker groups often used similar vulnerabilities, which allowed them to compromise the world largest companies.
The most severe of the two vulnerabilities is CVE-2022-41622 (CVSS Vulnerability Score 8.8), which is a CSRF bug in iControl SOAP affecting BIG-IP and BIG-IQ. Exploitation allows a remote, unauthenticated attacker to gain root access to the device management interface, even if the interface itself is not connected to the internet.
However, exploiting the problem requires the attacker to have some understanding of the target network, and would also need to convince the logged-in administrator to visit a malicious site configured to exploit CVE-2022-41622.
Interestingly, in order to address CVE-2022-41622, administrators are advised to disable basic authentication for iControl SOAP after installing the patch.
The second vulnerability, CVE-2022-41800 (CVSS score of 8.7), is an RCE that allows an attacker with administrator rights to execute arbitrary shell commands through RPM specification files. The problem also poses a threat to BIG-IP and BIG-IQ.
Both problems were discovered by Rapid7 researchers (if you remember, this company also had some pretty serious security problems) in July 2022 and brought to the attention of F5 in August 2022. This week, Rapid7 released a detailed report on these flaws, revealing the technical details of the vulnerabilities.
