Rapid7 discloses more F5 BIG-IP vulnerabilities
While the severity of the issues is relatively low, F5 devices are commonly targeted by attackers to gain persistence inside a network.
A Rapid7 researcher has discovered five new vulnerabilities and exposures in F5 products that have been popular targets for attackers over the past few years.
The relatively low-severity flaws and bypasses that affect F5 BIG-IP and BIG-IQ devices were detailed in a blog post Wednesday. The post included mitigation steps and a disclosure timeline that stated Rapid7 researcher Ron Bowes initially uncovered the issues in July and privately disclosed to F5 in August. Subsequently, F5 classified two of the findings as vulnerabilities tracked as CVE-2022-41622, a cross-site request forgery (CSRF) flaw, and CVE-2022-41800, which makes iControl REST vulnerable to authenticated remote code execution.
While Rapid7 said widespread exploitation of the issues is unlikely, F5 products have been known to contain critical vulnerabilities and attract threat actors.
In May, researchers discovered active exploitation of a critical remote code vulnerability, assigned CVE-2022-1388, in F5 BIG-IP network appliances, which warranted a government alert. In addition, Rapid7's "2021 Vulnerability Intelligence Report" included many instances of F5 products that were considered a widespread threat. The report referred to VPNs, firewalls and gateways as "high-value network pivot opportunities for both sophisticated and low-skilled adversaries."
The most critical issue from Wednesday's disclosure, according to the blog, was CVE-2022-41622 because attackers can gain "persistent root access to the device's management interface (even if the management interface is not internet-facing)."
The internet-facing feature is what makes F5 products a popular target for attackers, according to Tod Beardsley, director of research at Rapid7. There will always be some exposure to the internet for these devices, he said, because that's what it was designed for.
"We've seen over the past couple years these are favorite classes of gear that attackers are interested in, things like VPN concentrators and firewalls," he said. "If you own that, you have persistence inside a network."
Disclosure process woes
While Rapid7 applauded F5's thoroughness to address and fix the issues, researchers disagreed with the vendor on the severity of the local privilege escalation and SELinux security control bypasses.
"Rapid7 also discovered several bypasses of security controls that F5 does not consider vulnerabilities with a reasonable attack surface," the blog post read.
Beardsley was surprised that F5 classified CVE-2022-41800 as a vulnerability while other issues that required administrator login to exploit were not assigned a CVE. An F5 spokesperson told TechTarget Editorial that the decision was made because there is "no known way to exploit these issues without first bypassing security controls using an unknown or undiscovered mechanism."
"We know of no way in which an attacker would be able to take advantage of these issues at this time, and therefore do not consider them vulnerabilities and did not issue CVEs," an F5 spokesperson said in an email to TechTarget Editorial.
One concern Beardsley highlighted was that privileged attackers could use the bypasses to gain further control.
Both Rapid7 and F5 consider the issues bypasses and not vulnerabilities. However, the main disagreement centered around how an attacker would use the flaws and bypasses, Beardsley said. Rapid7 looks at the reasonable attack surface from a researcher perspective, which he said is almost always the same as the attacker perspective. For example, an attack surface that might be out of scope for a penetration tester might not be for an attacker.
Ron BowesResearcher, Rapid7
When asked how F5 defines a reasonable attack surface, a spokesperson told TechTarget Editorial that it classifies the vulnerabilities from the disclosure as a "defect in an F5 product which impacts the confidentiality, integrity or availability of the F5 product or information stored on the product." The spokesperson also said improvements aim to "adhere to best security practices to reduce any risk should design or threat models change in the future."
Bowes, who comes from a pen testing background, emphasized the importance of context when deciding the threat level.
"The CSRF flaw could allow attackers to write arbitrary files to the file system, but SELinux prevented me from doing that -- but then I found the SELinux bypasses, which let me exploit the vulnerability," Bowes said. "We bypassed security controls that were supposed to keep us out."
The use of SELinux to create boundaries such as administrator controls is rare, and Beardsley said he was delighted to see F5 using it. He and Bowes also agreed with F5 that many of the disclosed vulnerabilities and bypasses pose a low threat because they require having additional factors in place to exploit.
"Most of the remaining vulnerabilities are relatively minor and require the attacker to already have some level of access to the target device. They are more likely to be leveraged as part of an exploit chain to exacerbate more serious vulnerabilities," the blog post read.
In addition, Beardsley said enterprises can avoid all the flaws with basic mitigation. For example, he said the most critical of the disclosed vulnerabilities, CVE-2022-41622, can be mitigated by not browsing open source software service Mastodon while administering F5 gear.
In a statement on the disclosure, F5 said engineering hotfixes are available on request for both CVEs, and the fixes will be included in future releases as quickly as possible.