Security vendor F5 has prepared hotfixes for a pair of vulnerabilities affecting its BIG-IP and BIG-IQ networking devices that could result in remote code execution (RCE).
Software updates containing patches are also in the pipeline for the bugs, which despite potentially severe outcomes have significant barriers to exploitation.
F5 has assigned the most severe of the flaws a ‘high’ severity CVSS score of 8.8, but Rapid7 said this isn’t a “drop everything to fix” situation.
CSRF to RCE
The vulnerability (CVE-2022-41622) leaves BIG-IP and BIG-IQ vulnerable to unauthenticated RCE via cross-site request forgery (CSRF) because Big-IP’s SOAP API lacked CSRF protection and other typical SOAP API defenses, according to a blog post published today (November 16) by Ron Bowes, lead security researcher at Rapid7.
The attack “can grant persistent root access to the device’s management interface”, even when this interface is not internet-facing (as is recommended).
However, “that requires a confluence of factors to actually be exploitable (an administrator with an active session would need to visit a hostile website, and an attacker would have to have some knowledge of the target network)”, said Bowes.
If these prerequisites are met, miscreants can make arbitrary SOAP commands against the API within the authenticated user’s session.
Bowes, who uncovered the flaws, said “several of the exploit paths require SELinux bypasses” – which he duly found.
The second issue, tracked as CVE-2022-41800, means iControl REST is vulnerable to RCE via RPM spec injection. However, Bowes considers the risk “low” given iControl REST is only vulnerable in appliance mode and attackers must be authenticated as administrators.
Bowes also uncovered a trio of security control bypasses “that F5 does not consider vulnerabilities” but nevertheless have “a reasonable attack surface” for use as part of an exploit chain.
He said F5 had addressed a SELinux bypass arising through command injection in an update script but declined to assign a CVE.
“We disagree with their assessment because SELinux is a security boundary,” said Bowes.
“We’d normally consider this to be a very low-risk vulnerability, but because we used it as part of the exploit chain to turn CVE-2022-41622 into code execution, we believe it is important.”
Bowes also found a SELinux bypass via incorrect file context and a local privilege escalation via inadequate UNIX socket permissions.
F5 told Daily Swig:
“As noted by Rapid7, there is no known way to exploit these issues without first bypassing existing security controls using an unknown or undiscovered mechanism. We know of no way in which an attacker would be able to take advantage of these issues at this time and therefore do not consider them vulnerabilities and did not issue CVEs.
“F5 is evaluating these issues as part of a defense-in-depth approach and will look to address them in future releases. We recommend customers adhere to security best practices to reduce any risk should design or threat models change in the future.”
F5 added: “We recommend customers check the security advisories on AskF5 to assess their exposure and get details on recommended mitigations. Engineering hotfixes are available on request for both CVEs, and these fixes will be included in future releases as quickly as possible.”
At the time of disclosure, F5 is apparently not aware of any active exploitation of the vulnerabilities. Rapid7 believes “widespread exploitation” is “unlikely”.
All Time Argentina’s Top Goal Scorer At The FIFA World Cup
Will There Be Wednesday (Tv Series) Season 2, Release Date, Cast, Latest News
Portugal Coach Fire-back at Ronaldo For Sub Reaction
[STORY] TIMISIRE THE GOLDEN GIRL (Episode 22)
[STORY] BEHIND THE FINE FACE (Episode 08)
Actress, Keke Palmer announces pregnancy during ‘Saturday Night Live’
2023: Time to liberate yourself, vote out APC – Atiku to Lagosians
2023: INEC to meet NCC, telcos, on Tuesday
FIFA World Cup 2022: Croatia beat Japan on penalties to reach World Cup quarter-finals
GraphQL password hash leak problem fixed in Ibexa DXP
Gunmen kidnap Benue Commissioner for Housing
Adeleke threatens to penalize MDAs, starts payment of salaries
FG slams Atiku, ‘You live in Dubai’, you don’t really know Nigeria
Tinubu criticizes Arise TV, claiming they wish to profit from him
Tinubu Speaks about the debate surrounding his birth certificate and birth date
Singer AV drops highly anticipated debut EP, ‘Thug Love’
I’m disappointed – Blaqbonez reacts to Wizkid’s comments
South Africa parliament to vote on Ramaphosa’s impeachment Tuesday
OAU to graduate 5,852 students, 130 bag first class
Oseni: “If I Am To Start With Him, Reno Will Not Exist” – Reno Shares New Audio
Atiku has no moral basis to criticise Buhari — Lai Mohammed
Elon Musk says risk of him being assassinated is ‘quite significant’
Variation in the Types of Cryptocurrencies
Factors To Consider Before Choosing Bitcoin Exchange
Things You Should Know About Bitcoin Statistics: Future Trends
Bitcoin For Beginners: An Informative Report On The Digital Currency
Oil can’t feed Nigeria anymore – Obasanjo
Sesame Street Icon, Bob McGrath Dies At 90
Sigourney Weaver channelled her own teenage self into role 14-year-old Na’vi Kiri in Avatar: The Way of Water
Kate Winslet was ‘traumatised’ by Titanic – James Cameron
Jude Bellingham defends Liverpool star after England win
Gilberto Silva promises to speak to Edu about signing England star
Harry Kane praises team’s mentality after beating Senegal
Raheem Sterling to leave England’s World Cup camp after armed robbery
Your daily horoscope for Monday, December 5, 2022
NNPC not sincere about oil theft, exaggerating figures – Navy
FIFA World Cup 2022: Giroud and Mbappe break records as France reach World Cup quarter-finals
“I Owe No One Apology For Commending Buhari”: Wike To PDP Members
NCC Reveals List Of Unapproved Phones In Nigerian Markets To Be Avoided
Greetings flow in as Buhari and Aisha celebrate 33 years of marriage
DOWNLOAD Complete Wednesday (TV series) (2022 film) Season 1 Subtitles File [English SRT] 2022
DOWNLOAD Complete Troll (2022 film) Subtitles File [English SRT] 2022
DOWNLOAD Complete My Name Is Vendetta (2022 film) Subtitles File [English SRT] 2022
[STORY] THE VIRGIN WIFE (Complete Episodes)
[STORY] BEHIND THE FINE FACE (Complete Episodes)
[Music] Timaya – Sweet Us (As e Dey Sweet Us e Dey Pain Dem)
Top 10 Celebrities With Brazilian Butt Lift Surgery (BBL) [PHOTOS]
[STORY] THE VIRGIN WIFE (Episode 06)
[STORY] THE VIRGIN WIFE (Episode 07)
[STORY] THE VIRGIN WIFE (Episode 01)
[STORY] THE VIRGIN WIFE (Episode 02)
[STORY] THE VIRGIN WIFE (Episode 12)
[STORY] THE VIRGIN WIFE (Final Episode 13)
[STORY] THE VIRGIN WIFE (Episode 05)
[STORY] THE VIRGIN WIFE (Episode 10)
[STORY] THE VIRGIN WIFE (Episode 04)
[STORY] THE VIRGIN WIFE (Episode 08)
[STORY] THE VIRGIN WIFE (Episode 03)
Your daily horoscope for Thursday, December 1, 2022
[STORY] BEHIND THE FINE FACE (Episode 01)
[STORY] BEHIND THE FINE FACE (Episode 04)
[STORY] DIARY OF A PASTOR’S SON (Complete Episodes)
Top 5 Richest Kid Nigerian Skit Makers And How Their Networth
Who Manchester United should sign instead of Cody Gakpo – Sven-Goran Eriksson
Kehlani Goes Viral After Flirting With Underage Girl At Concert
[STORY] BEHIND THE FINE FACE (Episode 02)
[STORY] THE VIRGIN WIFE (Episode 11)
DOWNLOAD Complete Blood & Water (TV series) (2022 film) Season 3 Subtitles File [English SRT] 2022
[STORY] BEHIND THE FINE FACE (Episode 03)
Antony blames Qatar’s air conditioning for World Cup illness
[STORY] THE VIRGIN WIFE (Episode 09)
Timaya – Sweet Us [Lyrics]
[STORY] BEHIND THE FINE FACE (Episode 05)
Victoria Chintex assassinated in Kaduna State
[STORY] TIMISIRE THE GOLDEN GIRL (Episode 20)
Chelsea set to sign Andrey Santos in January
Buhari Appoints Hairdresser As Boss Of Financial Institution – Lawyers Demand Sack
[STORY] DIARY OF A PASTOR’S SON (Episode 01)
[STORY] DIARY OF A PASTOR’S SON (Episode 02)
Cardi B Threatens To Murder Comedian Nicole Arbour’s Mother
ANE Billboard Hots
Technology5 months ago
VoIP Number: Everything You Need To Know
Movie Subtitle2 weeks ago
DOWNLOAD Complete Black Adam (2022 film) Subtitles File [English SRT] 2022
Music3 years ago
[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you
Music5 months ago
[Music] Akon – Sorry Blame It On Me
Music5 months ago
Alan Walker – Faded [INSTRUMENTAL]
Music5 months ago
[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth
Music5 months ago
[INSTRUMENTAL] John Legend – All Of Me
Music5 months ago
[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me