K80970653 : BIG-IP iRules vulnerability CVE-2022-33962

Security Advisory Description

The ‘node’ iRules command may allow an attacker to bypass the access control restrictions for a self IP address, regardless of the port lockdown settings.(CVE-2022-33962)

Impact

This vulnerability may allow an authenticated attacker with the iRule Manager role to create an iRule which allows the attacker to elevate their privileges to a higher level; this assumes that the attacker has access to the BIG-IP control plane as well as valid credentials.

Note: iRules in which the ‘node’ command operates on untrusted data-plane input should always be considered potentially unsafe and may have an elevated risk which should be determined by the author of the iRule. Such iRules are not advised unless steps are taken to validate the user input against an allow-list of valid destinations to ensure that the rule cannot be manipulated to send traffic to arbitrary, unintended destinations. Additionally, unvalidated input to the ‘node’ command may allow traffic to be directed to internal BIG-IP IP addresses or services.