25 vulnerabilities in F5 firewall and other products: Patch immediately
On Wednesday, specialists from the technology firm F5 Networks published a detailed report on the finding of 25 vulnerabilities in some of its products. According to reports, successful exploitation of these flaws could lead to various variants of hacking, including cross-site scripting (XSS) and denial of service (DoS) attacks.
Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS). The flaws reside mainly in various versions of NGINX Controller API Management, BIG-IQ Centralized Management and NGINX App Protect.
- CVE-2022–23009 (CVSS 8.0): An administrative role user authenticated on a BIG-IP device could access other BIG-IP devices managed by the same BIG-IQ system
- CVE-2022–23010 (CVSS 7.5): If a FastL4 profile and HTTP profile are configured on a virtual server, undisclosed requests can consume all affected system resources
- CVE-2022–23011 (CVSS 7.5): Virtual servers on some BIG-IP hardware platforms may stop responding while processing TCP traffic due to an issue in the SYN cookie protection feature.
- CVE-2022–23012 (CVSS 7.5): If an HTTP/2 profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to forcibly close
- CVE-2022–23014 (CVSS 7.5): When access to the BIG-IP APM portal is configured on a virtual server, undisclosed requests can force the closure of the Traffic Management Microkernel (TMM)
- CVE-2022–23015 (CVSS 7.5): When you configure a client SSL profile on a virtual server with Client Certificate Authentication and Session Ticket enabled and configured, SSL traffic processing can consume all resources in system memory
- CVE-2022–23016 (CVSS 7.5): If BIG-IP SSL Forward Proxy with TLS 1.3 is configured on a virtual server, undisclosed requests can force the traffic management microkernel (TMM) to close
- CVE-2022–23017 (CVSS 7.5): When a virtual server is configured with a DNS profile with quick response mode settings enabled and configured on a BIG-IP system, undisclosed requests can force the Traffic Management Microkernel (TMM) to close
- CVE-2022–23018 (CVSS 7.5): When a virtual server is configured with HTTP protocol security and HTTP proxy connection profiles, undisclosed requests can force the traffic management microkernel (TMM) to close
- CVE-2022–23019 (CVSS 7.5): When a message routing type virtual server is configured with router session profiles in BIG-IP, undisclosed traffic can cause excessive consumption of memory resources
- CVE-2022–23023 (CVSS 6.5): Undisclosed requests by an iControl REST user authenticated to BIG-IP could cause an increase in memory resource utilization
- CVE-2022–23026 (CVSS 5.4): An authenticated user with low privileges in BIG-IP could load data using an undisclosed REST endpoint, generating a disproportionate increase in system resources
- CVE-2022–23027 (CVSS 5.3): When a FastL4 profile and an HTTP, FIX, or hash persistence profile are configured on the same virtual server, undisclosed requests can cause the virtual server to stop processing new client connections
- CVE-2022–23028 (CVSS 5.3): When AFM SYN global cookie protection is enabled on BIG-IP, on the AFM Dos device or the DOS profile, certain types of TCP connections will fail
- CVE-2022–23029 (CVSS 5.3): When you configure a FastL4 profile on a virtual server, undisclosed traffic may cause an increase in memory resource utilization
- CVE-2022–23030 (CVSS 5.3): When BIG-IP Virtual Edition (VE) uses the ixlv driver and TCP segmentation offload settings are enabled, undisclosed requests can cause a disproportionate increase in CPU resource usage
- CVE-2022–23031 (CVSS 4.9): An XML External Entity (XXE) flaw in an undisclosed page of F5 Advanced Web Application Firewall and BIG-IP ASM Traffic Management User Interface would allow authenticated threat actors to access local files and force BIG-IP to send HTTP requests
- CVE-2022–23032 (CVSS 3.1): When proxy settings select the network access resource of a BIG-IP APM system, the BIG-IP Edge Client connection on Mac and Windows may be exposed to DNS relay attacks
A detailed report of the flaws is available on the official F5 platforms; the company claims that no active exploitation attempts have been detected, although it recommends users of affected deployments to update as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
Originally published at https://www.securitynewspaper.com on January 20, 2022.