Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / Overview of F5 vulnerabilities (October 2022)

Target Industry

No specific target industry has been identified.

Overview

On 19th October 2022 security and application delivery company, F5, released the October 2022 quarterly security notification, informing customers about a total of 18 vulnerabilities affecting their products. These vulnerabilities were sub-categorised as follows:

  • 12 High CVEs (CVSS Score 7.0-7.5)
  • 5 Medium CVEs (CVSS Score 4.9-6.5)
  • 1 Low CVE (CVSS Score 3.7)
  • 1 Security Exposure.

One of the vulnerabilities (CVE-2022-41617) is an authenticated remote code execution vulnerability affecting systems deployed in standard or appliance mode. The issue has a ‘critical’ rating if the device is in appliance mode. An attacker with elevated privileges can exploit the flaw to run arbitrary system commands, create or delete files, or disable services. The majority of the remaining vulnerabilities include executing arbitrary code, causing a denial-of-service (DoS) condition, and escalating privileges. Additionally, three of the advisories are related to NGINX modules which describe flaws that can allow a local attacker to cause a NGINX worker process to terminate. A ‘high severity’ rating has also been assigned to an F5OS vulnerability that can be exploited for privilege escalation.

Impact

With regards to the critical-level vulnerability, CVE-2022-41617 (BIG-IP Advanced WAF and ASM iControl REST vulnerability), on systems deployed in standard or appliance mode, this vulnerability may allow a high-privileged authenticated attacker with network access to the iControl REST interface to run arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.

With regards to the detected NGINX vulnerabilities, a successful exploit may allow a local attacker to cause an NGINX worker process to terminate or may allow an NGINX worker process memory disclosure.

Finally, in terms of the detected F5OS vulnerabilities, an authenticated low-privileged attacker with CLI access could exploit this vulnerability locally by including crafted arguments to a specific command. A successful exploit allows the attacker to escalate privileges and to cross a security boundary.

Vulnerability Detection

F5 products present within the context of the respective previous versions mentioned below are susceptible to the correlating vulnerabilities.

Affected Products

The following F5 products, correlating to the respective versions, are susceptible to the individual vulnerabilities:

  • BIG-IP iRules vulnerability CVE-2022-41624(All Modules): Versions 13.1.0 – 17.0.0
  • BIG-IP SIP vulnerability CVE-2022-41832 (All Modules): Versions 13.1.0 – 17.0.0
  • BIG-IP iRules vulnerability CVE-2022-41833 (All Modules): Versions 13.1.0 – 17.0.0
  • BIG-IP and BIG-IQ iControl REST vulnerability CVE-2022-41770 (All Modules): Versions 13.1.0 – 17.0.0
  • BIG-IP software SYN cookies vulnerability CVE-2022-36795 (All Modules): Versions 13.1.0 – 17.0.0
  • BIG-IP TMM vulnerability CVE-2022-41983 (All Modules): Versions 13.1.0 – 17.0.0
  • BIG-IP Advanced WAF and ASM bd vulnerability CVE-2022-41836: 14.1.5 – 14.1.5.2
  • BIG-IP Advanced WAF and ASM bd vulnerability CVE-2022-41836: Versions 15.1.0 – 17.00.1
  • BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2022-41617: Versions 13.1.0 – 17.0.0
  • BIG-IP Advanced WAF, ASM, and NGINX App Protect WAF XML encoding security exposure: Versions 13.1.0 – 17.0.0
  • BIG-IP DNS Express vulnerability CVE-2022-41787: Versions 13.1.0 – 17.0.0
  • BIG-IP AFM NAT64 policy vulnerability CVE-2022-41806: 15.1.0 – 16.1.3
  • BIG-IP PEM and AFM TMUI, TMSH, and iControl REST vulnerability CVE-2022-41813: Versions 13.1.0 – 17.0.0
  • BIG-IP and BIG-IQ mcpd vulnerability CVE-2022-41694: 7.1.0 – 8.2.0
  • BIG-IP and BIG-IQ mcpd vulnerability CVE-2022-41694: Versions 13.1.0 – 17.0.0
  • F5OS-A/C vulnerability CVE-2022-41835: Versions 1.0.0 – 1.0.1
  • F5OS-A/C CLI vulnerability CVE-2022-41780: Versions 1.0.0 – 1.4.0
  • NGINX ngx_http_mp4_module vulnerability CVE-2022-41742; NGINX Plus: R22 – R27
  • NGINX ngx_http_mp4_module vulnerability CVE-2022-41742; NGINX Open-Source Subscription: R1 – R2
  • NGINX ngx_http_mp4_module vulnerability CVE-2022-41742; NGINX Open Source: 1.1.3 – 1.23.1
  • NGINX ngx_http_mp4_module vulnerability CVE-2022-41742; NGINX Ingress Controller: 1.9.0 – 2.4.0
  • NGINX ngx_http_mp4_module vulnerability CVE-2022-41742; NGINX App Protect WAF: 2.0.0 – 3.11.0

Containment, Mitigations & Remediations

To prevent the exploit of the respective vulnerabilities, the aforementioned F5 products must be updated to the following versions:

  • BIG-IP (all modules): versions 13.1.5.1 – 17.0.0.1
  • BIG-IP (DNS, LTM enabled with DNS services licence): versions 13.1.5.1 – 17.0.0.1
  • BIG-IP (AFM): 15.1.5.1 – 17.0.0
  • BIG-IP (Advanced WAF, ASM): 15.1.7 – 17.0.0.1
  • BIG-IQ Centralized Management: N/A
  • F5OS-A: 1.1.0
  • F5OS-C: 1.5.0
  • NGINX Plus: R27 P1, R26 P1
  • NGINX Open Source Subscription: R2 P1 – R1 P1
  • NGINX Open Source: 1.22.1 – 1.23.2
  • NGINX Ingress Controller: 1.12.5 – 2.4.1
  • NGINX App Protect WAF: 3.12.0

Indicators of Compromise

Due to confined security practices, at the time of writing, F5 have not disclosed the full details of the vulnerability until the majority of users update to the latest version of the respective operating systems.

Threat Landscape

BIG-IP users should not ignore these patches as threat actors have been known to target vulnerabilities affecting the products. The most recent example was CVE-2022-1388, which saw mass exploitation earlier this year, with some hackers leveraging it to destroy BIG-IP appliances. Moreover, Denial-of-Services (DoS) attacks are becoming increasingly more difficult to detect due to the fact that targets of this attack vector are no longer restricted to network environments.

In addition to this, many high-profile organisations utilise NGINX webservers, including but not limited to, Microsoft, Google, IBM, VMware, LinkedIn, Intel, Apple and Twitter. Threat actors generally utilise a combination of probability and asset value to decide which attack surfaces to spend their time on. As such, the NGINX web server product range has become a prime target. The aforementioned organisations have become an integral aspect of both personal and business affairs. Hence, threat actors will almost certainly continue to exploit vulnerabilities contained within these devices in an attempt to extract the sensitive information contained therein.

Threat Group

No specific threat groups have been connected to this exploit.

Mitre Methodologies

T0814 – Denial of Service

TA0004 – Privilege Escalation

TA0002 – Execution

Further Information

F5 Support Article

K30425568

F5 Support Article K11830089

F5 Support Article K33484483

F5 Support Article K28112382

NHS Digital Security briefing

SecurityWeek article