F5 Patches Vulnerabilities in iControl SOAP and iControl REST Running on F5 BIG-IP and BIG-IQ Devices (CVE-2022-41800 and CVE-2022-41622)

Researchers have discovered multiple security vulnerabilities in the F5 BIG-IP and BIG-IQ devices (CVE-2022-41800 and CVE-2022-41622). The vulnerabilities affect the iControl SOAP and iControl REST running on F5 BIG-IP and BIG-IQ Devices. 
   
F5’s BIG-IP is a collection of software and hardware intended to improve application availability, access management, and security. 
 
iControl is the first open API based on full software integration, allowing applications to cooperate with the underlying network. iControl assists F5 clients, top independent software vendors (ISVs), and Solution Providers in realizing new automation and configuring management efficiency levels by utilizing SOAP/XML to provide open connections between diverse systems. iControl REST provides quick interaction between the user or script and the F5 device. 
  
Description 
 
iControl SOAP vulnerability (CVE-2022-41622) 
This vulnerability makes the affected systems vulnerable to a cross-site request forgery (CSRF) attack through iControl Simple Object Access Protocol (SOAP) in the F5 BIG-IP and BIG-IQ devices. On successful exploitation, this could result in remote code execution.  
 
An attacker may influence users with the least resource administrator role privileges and have the basic authentication in iControl SOAP to perform critical actions. This vulnerability can only be exploited through the control plane (not through the data plane). The vulnerability has the potential to compromise the entire system if it is exploited successfully. 
 
Appliance mode iControl REST vulnerability (CVE-2022-41800)   
The vulnerability exists in the Appliance mode iControl REST which could allow an authenticated remote code execution via RPM spec injection. While running in Appliance mode, an authenticated user with the Administrator role can bypass Appliance mode restrictions by utilizing an undisclosed iControl REST endpoint. On successful exploitation, an attacker could bypass a security boundary. There is no data plane exposure as this is a control plane flaw. Appliance mode is enforced by a specific license or may be enabled or disabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances. 
 
Affected Versions 
BIG-IP 
CVE-2022-41800 and CVE-2022-41622: 

  • 17.0.0 
  • 16.1.0 – 16.1.3 
  • 15.1.0 – 15.1.8 
  • 14.1.0 – 14.1.5 
  • 13.1.0 – 13.1.5 

 
BIG-IQ 
CVE-2022-41800: 

  • Unaffected 

CVE-2022-41622: 

  • 8.0.0 – 8.2.0 
  • 7.1.0

Mitigation 
CVE-2022-41800: 
The advisory says, “Until you can install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface. The attacker must hold valid credentials to a highly privileged administrative account. Therefore, restricting access may still leave the device exposed to the risk of a malicious insider or lateral movement from another compromised device within the trusted range.” 
 
Block iControl REST access through the self-IP address 
The advisory says, “You can block all access to the iControl REST interface of your BIG-IP system through self-IP addresses. To do so, you can change the Port Lockdown set to Allow None for each self-IP address in the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to iControl REST. By default, iControl REST listens on TCP port 443. Alternatively, you can configure a custom port.” 
 
NOTE: Performing this action prevents all access to the Configuration utility and iControl REST using the self-IP address. These changes may also impact other services, including breaking high availability (HA) configurations. 
 
For more information, please refer to the F5 BIG-IP Security Advisory. 
 
Block iControl REST access through the management interface 
To mitigate this vulnerability, customers should restrict management access to only trusted users and devices over a secure network.  
 
For more information, please refer to the F5 BIG-IP Security Advisory. 
 
CVE-2022-41622:  
“To mitigate this vulnerability, you can use a unique and isolated web browser when managing the BIG-IP or BIG-IQ system”, says the advisory. 
 
BIG-IP mitigation 
For BIG-IP only, restrict access to the system’s iControl SOAP API to only trusted users. If you are not using the iControl SOAP API, then you can disable all access by setting the iControl SOAP API allowed list to an empty list. To do so, perform the following procedure:

  1. Log in to tmsh by entering the command: tmsh
  2. Remove all IP addresses or range of IP addresses from the list of allowed addresses by entering the command: modify /sys icontrol-soap allow replace-all-with { }
  3. Save the change by entering the command: save /sys config 

For more information, please refer to the F5 BIG-IP Security Advisory. 
 
BIG-IQ mitigation 
For the BIG-IQ system only, restrict the iControl SOAP access to localhost (127.0.0.1) by changing the webd configuration. The following steps can be performed to apply the mitigation:

  1. Log in to the command line of the affected BIG-IQ system as the root user. 
  2. Back up a copy of the webd configuration by entering the following command: cp -p /etc/webd/webd.conf /etc/webd/webd.conf.K9422158
  3. Have a text editor such as vi or nano available to edit the webd configuration.
  4. There are two iControl FastCGI endpoint (location /iControl/iControlPortal.cgi) configurations; one is under the server configuration stanza listening for port 80, and the other is located under the server configuration stanza listening for port 443 and is enabled with SSL. The one under the port 80 server is already restricted to localhost (127.0.0.1) by default. Restrict the one under the SSL server. The starting of the SSL server configuration stanza should appear like the following example: server { 
      listen [::]:443 ipv6only=on ssl; 
      listen *:443 ssl; 
    } 
  5. Locate the iControl FastCGI endpoint configuration under this SSL server; it should appear like the following example: # iControl FastCGI endpoint 
      location /iControl/iControlPortal.cgi { 
      access_by_lua_file /usr/lib/webd/lua/icauth.lua; 
      fastcgi_pass 127.0.0.1:8202; 
      fastcgi_pass_header X-IControl-Session; 
      fastcgi_pass_request_body on; 
      fastcgi_param QUERY_STRING $query_string; 
      fastcgi_param REQUEST_METHOD $request_method; 
      fastcgi_param CONTENT_TYPE $content_type; 
      fastcgi_param CONTENT_LENGTH $content_length; 
      fastcgi_param SCRIPT_NAME ‘/iControl/iControlPortal.cgi’; 
    } 
  6. Add the following two lines of configuration to this iControl FastCGI endpoint configuration: 
    allow 127.0.0.1; 
    deny all; 
  7. After you add the two lines of configuration, the iControl FastCGI endpoint configuration should appear like the following example: 
    # iControl FastCGI endpoint 
      location /iControl/iControlPortal.cgi { 
      allow 127.0.0.1; 
      deny all; 
      access_by_lua_file /usr/lib/webd/lua/icauth.lua; 
      fastcgi_pass 127.0.0.1:8202; 
      fastcgi_pass_header X-IControl-Session; 
      fastcgi_pass_request_body on; 
      fastcgi_param QUERY_STRING $query_string; 
      fastcgi_param REQUEST_METHOD $request_method; 
      fastcgi_param CONTENT_TYPE $content_type; 
      fastcgi_param CONTENT_LENGTH $content_length; 
      fastcgi_param SCRIPT_NAME ‘/iControl/iControlPortal.cgi’; 
    } 
  8. Save the changes and exit the text editor. 
  9. To effect the change, you must restart the webd service. To do so, enter the following command:
    tmsh restart /sys service webd

For more information, please refer to the F5 BIG-IP Security Advisory. 
 
Qualys Detection  
Qualys customers can scan their devices with QID 377781 & 377782 to detect vulnerable assets.  

NOTE: The QIDs only cover BIG-IP as we do not support BIG-IQ.
  
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.  
  
References 
https://support.f5.com/csp/article/K94221585  
https://support.f5.com/csp/article/K13325942  

Leave a Reply

Your email address will not be published. Required fields are marked *