Researchers have disclosed two vulnerabilities in the popular F5 BIG-IP appliances, one of which can lead to remote code execution in some instances, and another that can allow code execution for authenticated users. F5 has not released updated software versions to address the flaws, but has developed hotfixes that customers can request.
The two vulnerabilities affect many versions of the F5 appliances, and researchers at Rapid7 discovered them and developed exploitation methods for them. The more serious of the two flaws is a CSRF bug (CVE-2022-41622) in the SOAP API in the BIG-IP software and an attacker could exploit it to gain remote code execution on a target device, with some preexisting conditions.
“F5 Big-IP's SOAP API (the endpoint /iControl/iControlPortal.cgi) does not have cross-site request forgery (CSRF) protection, nor does it require a correct Content-Type or other typical SOAP API protections. Consequently, if a user (who is authenticated to an F5 Big-IP device) visits an attacker-controlled website (or is redirected there via an open redirect or cross-site scripting), an attacker can run arbitrary SOAP commands against the F5 Big-IP SOAP API in the authenticated user's session. That could lead to remote code execution in several different ways,” Ron Bowes of Rapid7 wrote in an explanation of the vulnerabilities.
“The API endpoint for SOAP requests, iControlPortal.cgi, which is accessible at /iControl/iControlPortal.cgi, is a CGI script that is SetUID root — that is, it executes as root. The script authenticates the user via HTTP Basic authentication and accepts XML SOAP requests. The XML API is quite complex with many different API endpoints available to use. We chose the upload_file and create_user_3 endpoints as examples in our PoC, because they demonstrate the impact of the exploit concisely.”
That flaw is not simple to exploit, and Bowes said there are some considerable obstacles, including the fact that an attacker would likely need to bypass the protections of SELinux hardening on the devices, which is no mean feat.
The second vulnerability (CVE-2022-41800) is less serious, but could allow an attacker to run shell commands on a target device under some circumstances. The attacker would need to be authenticated, however, and Bowes said he considers the risk of the bug to be low.
“F5 Big-IP's JSON API includes an administrator-only endpoint that creates an RPM specification file (.rpmspec). That file is consumed by another administrator-only endpoint to create an RPM file. Both endpoints are vulnerable to injection attacks into the RPM spec file, where additional fields could be added to the spec using newlines. Notably, an attacker could add executable shell commands that run when the resultant RPM file is created,” Bowes said.
“This would give authenticated administrators (who may be malicious insiders, users of compromised accounts, etc) the ability to run shell commands using an endpoint that is not designed or documented as having that functionality.”
Both vulnerabilities affect versions 13.x, 14.x, 15.x, 16.x, and 17.x of the F5 BIG-IP software. CVE-2022-41622 also affect versions 7.x and 8.x of the BIG-IQ Centralized Management product. F5 said it is not aware of any exploitation of these flaws at this point.