Tuesday, September 8, 2015 At 6:14AM
Overview
Earlier this year GDS discovered a vulnerability in the F5 BIG-IP LTM product that allows a user with limited access to the system to escalate privileges and obtain highly privileged remote command execution on the device.
This issue was identified in the SOAP interface exposed on these devices at https://<host>/iControl/iControlPortal.cgi (a similar issue, although in a completely different function, was previously found in this same interface – see CVE-2014-2928). An attacker with valid credentials for the web interface and the Resource Administrator role can abuse the iCall SOAP functions to run arbitrary commands on the device with root privileges.
Am I vulnerable?
This vulnerability has been fixed in BIG-IP version 12.0 and 11.5.3 HF2. Other versions of BIG-IP from 11.3 to 11.6 have been confirmed to be vulnerable. Additionally, all versions of BIG-IQ and versions of Enterprise Manager from 3.1 are vulnerable. For more detailed information see the F5 Security Advisory.
Exploitation
Detailed exploitation information is available on request and will be published after further patches are released.
Remediation
Upgrade to BIG-IP version 12.0 or apply vendor patches once they are released. In the interim review configuration for any accounts in the Resource Administrator role. Update the configuration to use the least privilege necessary, while acknowledging that Resource Administrators have unconstrained privileges until this issue is patched.
Author: Tommaso Malgherini
©Aon plc 2023