F5 Released Hotfixes for BIG-IP and iControl REST Vulnerabilities

What are the CVE-2022-41622 and CVE-2022-41800 Vulnerabilities?

The vulnerability CVE-2022-41622 makes BIG-IP and BIG-IQ vulnerable to unauthenticated remote code execution (RCE) via cross-site request forgery due to Big-IP’s SOAP API lacking CSRF protection and other protective measures.

A remote attacker can carry out the attack even if the device is set to be inaccessible via the internet. A successful exploit could grant persistent root access to the management interface. An administrator user must visit a malicious website while their session is active for this to work.

According to researcher Ron Bowes, SELinux bypasses are necessary for a few exploit paths.

The second vulnerability, identified as CVE-2022-41800, could be exploited in appliance mode, allowing an authenticated remote attacker to execute arbitrary code in iControl REST.

Additionally, Bowes discovered three security control bypasses that could be used as a link in an exploit chain. He claimed that F5 had fixed a SELinux bypass caused by command injection in an update script but declined to give it a CVE.

*SOCRadar Vulnerability Intelligence module provides you with up-to-date information about the latest vulnerabilities.*

Which F5 Products are Vulnerable?

CVE	Vulnerability	CVSS score	Affected products	Affected versions
CVE-2022-41622	K94221585: iControl SOAP Vulnerability	8.8	BIG-IP (all modules)	17.0.0 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5
CVE-2022-41622	K94221585: iControl SOAP Vulnerability	8.8	BIG-IQ Centralized Management	8.0.0 – 8.2.0 7.1.0
CVE-2022-41800	K13325942: Appliance mode iControl REST vulnerability	8.7	BIG-IP (all modules)	17.0.0 16.1.0 – 16.1.3 15.1.0 – 15.1.8 14.1.0 – 14.1.5 13.1.0 – 13.1.5

Is There Any Exploit Code for the Vulnerabilities?

Security researchers state that there is currently no proof-of-concept or exploit code for the CVE-2022-41622 and CVE-2022-41800 vulnerabilities.

Are CVE-2022-41622 and CVE-2022-41800 Actively Exploited in the Wild?

Active exploitation of the vulnerabilities is not known. According to Rapid7, widespread exploitation is not likely.

Is There Any Mitigation or Patch Available?

Hotfixes are available. Users are recommended to keep checking AskF5, as fixes for these vulnerabilities will be released soon.

How to Protect Against the Vulnerabilities?

Beware of web applications and sites that seem unreliable. Use one browser for trusted sources and another for general browsing to protect yourself from CSRF attacks that require active sessions. Apply the latest patches for your software and devices to stay protected against vulnerabilities.