F5 has released fixes for a long list of vulnerabilities in its BIG-IP line of security appliances, including one that could allow a remote attacker to take complete control of a target appliance.
The company patched 21 vulnerabilities in all, many of which are high-severity flaws that can give an attacker some level of control over an appliance or allow traffic disruption. The bugs don’t affect F5 Cloud Services or Threat Stack.
Perhaps the most useful vulnerability to an attacker is CVE-2022-35728, which is related to the way that BIG-IP boxes handle iControl REST tokens, which are used for authentication for local and remote users.
“A remote unauthenticated attacker may be able to reuse, for a limited time, an authenticated user’s iControl REST token generated from the Configuration utility and access through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only,” the F5 advisory says.
That vulnerability affects versions 13.x-17.x of BIG-IP, as well as some versions of BIG-IP SPK, and BIG-IQ Centralized Management. For organizations that can’t install the updated versions immediately, there is a workaround that will mitigate this vulnerability.
“You can block all access to the iControl REST interface of your BIG-IP or BIG-IQ system through self IP addresses. To do so, you can change the Port Lockdown setting to Allow None for each self IP address in the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to iControl REST,” the advisory says.
“By default, iControl REST listens on TCP port 443 or TCP port 8443 on single NIC BIG-IP VE instances. If you modified the default port, ensure that you disallow access to the alternate port you configured. If you must expose port 443 on your self IP addresses and want to restrict access to specific IP ranges, you may consider using the packet filtering functionality built into the BIG-IP system.”
Among the other bugs F5 patched in its Aug. 3 release is another vulnerability related to the iControl REST functionality, which affects an undisclosed endpoint. This flaw affects BIG-IP versions 13.x-17.x.
“In Appliance mode, an authenticated user with valid user credentials assigned the Administrator role may be able to bypass Appliance mode restrictions. This is a control plane issue; there is no data plane exposure. Appliance mode is enforced by a specific license or may be enabled or disabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances,” the F5 advisory says.
The same mitigation strategy applies to this vulnerability (CVE-2022-35243).
The majority of the other vulnerabilities patched in this release are related to denial-of-service, performance degradation, or increased memory usage.