Several security vulnerabilities have been discovered in F5's BIG-IP and BIG-IQ appliances. If successfully exploited, attackers can take full control of the affected devices.
According to experts from Rapid7, security holes can be used by hackers to gain remote access to devices and bypass security solutions. The vulnerabilities affect BIG-IP versions 13.x, 14.x, 15.x, 16.x and 17.x, as well as BIG-IQ Centralized Management versions 7.x and 8.x.
Below is information about the vulnerabilities reported by F5 on August 18, 2022:
- CVE-2022-41622 (CVSS score of 8.8 out of 10) is a cross-site request forgery (CSRF) vulnerability over iControl SOAP that allows attackers to remotely execute arbitrary code without authentication. With its help, a hacker can gain root access to the device management interface, even if he does not go online. Successful exploitation of this vulnerability requires an administrator with an active session to visit a malicious website;
- CVE-2022-41800 (CVSS score of 8.7 out of 10) is a vulnerability in iControl REST that allows an authorized user with an administrator role to bypass Appliance mode restrictions.
In addition, three different scenarios have been identified in which attackers can bypass security systems. However, they cannot be used without first breaking existing security systems.
And although F5 did not say that any of the vulnerabilities found were exploited by hackers, experts recommend that users install the necessary updates as soon as possible as they become available in order to reduce potential risks.