Full Report
BIG-IP is a family of products from F5 is an application delivery service. There is a suite of internal APIs for admins only that tends to only be exposed on the LAN that the device exists on though. This article is a dive into that. The first CVE is a large chain of security issues. They first found a trivial command injection on a binary called f5_update_checker. This happens via a file called f5_update_action; simply adding a command injection payload into this file gives code execution. But, this really isn't a huge problem since you need to be able to write a file to the system to do this. This only becomes a problem if we can write a file. While playing around with the admin SOAP API, they obtained the ability to write a file to an arbitrary location with arbitrary content. See where this is going!? Additionally, the SOAP API was vulnerable to CSRF, since it lacked proper cookie flags and other protections. The thing is, the browser would send a pre-flight request with an XML request, making this not possible. The author put the XML into a form with a plaintext content-type. From there, they came to another problem: a form will use a key=value format! This would corrupt the XML payload being sent. However, XML allows for comments! So, the key became and the value became --> REGULAR XML.... This comments out the equals sign (=) from the form submission, making this valid XML. Amazing. The SOAP API runs as root but Big IP has SELinux as well. This means that obvious areas of attack like /etc/profile.d cannot be written to. They noticed a symbolic link within the directory for a bash script that went into /var/run/config/timeout.sh. Since this location isn't protected by SELinux, this ended up being a bypass, as well as the code execution method mentioned above. With the CSRF, arbitrary file write and command injection/SELinux bypass, we've got code execution on Big IP. The second RCE method was a newline injection into rpmspec files via another administrative API. Since this file is used to create RPM files, adding in new parameters/fields leads to the execution of arbitrary shell commands. Overall, awesome post and I was happy to talk to the author at Hushcon this year to get more information about the CSRF issue.
Analysis Summary
This summary focuses on the RCE chain described in the context, cross-referencing the provided article snippets found in the text.
# Vulnerability: Chained RCE via CSRF, Arbitrary File Write, and Command Injection on F5 BIG-IP
## CVE Details
- CVE ID: CVE-2022-41622 (Associated with the SOAP API CSRF flaw leading to RCE)
* *Note: The context describes a large chain involving multiple concepts, but CVE-2022-41622 specifically covers the CSRF in the SOAP API leading to RCE.*
* *The context also mentions an RCE via RPM spec injection as a separate CVE: CVE-2022-41800.*
- CVSS Score: Not explicitly provided in the text for the chain, but CVE-2022-41622 is described as leading to persistent root access.
- CWE: CWE-352 (Cross-Site Request Forgery - for CVE-2022-41622); CWE-78 (OS Command Injection - related to the `f5_update_checker` component).
## Affected Systems
- Products: F5 BIG-IP and BIG-IQ devices.
- Versions: Affected versions are detailed in F5 advisories (specifically referenced K94221585 for CVE-2022-41622).
- Configurations: The primary RCE chain relies on interacting with internal/admin APIs, typically exposed on the LAN. The SOAP API endpoint `/iControl/iControlPortal.cgi` is highly privileged (SetUID root).
## Vulnerability Description
The most severe exploit path detailed in the context relies on a chain of three primary flaws that, when combined, lead to Remote Code Execution (RCE) with root privileges, potentially bypassing SELinux restrictions:
1. **Arbitrary File Write via SOAP API:** An issue in the admin SOAP API allowed an authenticated user to write arbitrary content to an arbitrary location on the filesystem.
2. **Trivial Command Injection:** A command injection vulnerability existed in the binary `/f5_update_checker` via the file `/f5_update_action`. This required file write access to exploit.
3. **CSRF on SOAP API (CVE-2022-41622):** The SOAP API lacked mandatory CSRF protections. The author circumvented typical browser restrictions (like pre-flight requests failing due to `Content-Type: text/xml`) by crafting a malicious HTML form submission that used XML comments (`<!--` and `-->`) to hide an equals sign (`=`) that would otherwise corrupt the XML payload when submitted as `key=value`. This allowed an unauthenticated attacker to force an active admin session to execute SOAP commands.
The combination leveraged the arbitrary file write capability (via CSRF-initiated SOAP commands) to place malicious content into a file that, when subsequently executed (via the command injection path), bypassed expected SELinux restrictions (e.g., by targeting a specific writable path like `/var/run/config/timeout.sh` referenced via a symbolic link).
A second, distinct RCE method (CVE-2022-41800) involved **newline injection into RPM spec files** via another administrative API, leading to arbitrary shell command execution during RPM creation.
## Exploitation
- Status: PoC available (Specifically demonstrated for CVE-2022-41622 using SOAP upload/create\_user endpoints).
- Complexity: Medium to High (Requires chaining multiple vulnerabilities, knowledge of the internal network address, and timing an attack against an active administrator session for the CSRF component). The exploit path *requires* bypassing SELinux controls.
- Attack Vector: Primarily **Adjacent Network Access** (since management interfaces are typically LAN-facing) coupled with successful **CSRF** against a privileged user.
## Impact
- Confidentiality: High (Root access allows reading all system data).
- Integrity: High (Ability to execute arbitrary code as root).
- Availability: High (Ability to disrupt service or render the device inoperable).
## Remediation
### Patches
F5 released fixes addressing both CVE-2022-41622 and CVE-2022-41800. Customers must refer to the specific vendor advisories:
* Fixes targeting CVE-2022-41622 are detailed in F5 advisory **K94221585**.
* Fixes for CVE-2022-41800 are detailed in F5 advisory **K13325942**.
### Workarounds
* For CVE-2022-41622: Normal anti-CSRF techniques (which were missing) should now prevent this exploit if implemented correctly post-patch.
* For CVE-2022-41800: The RCE is limited to customers running with **Appliance Mode enabled** and requires the attacker to be a valid authenticated user with Resource Admin privileges or greater. Limiting user privileges mitigates this specific component.
## Detection
- **Indicators of Compromise (IOCs):** Look for unusual activity targeting administrative endpoints, specifically the SOAP API path (`/iControl/cpcatalog.cgi` or similar related endpoints). Monitoring for command execution within configuration file processing (like RPM spec files) or file writes to sensitive directories should be priorities.
- **Detection Methods and Tools:** InsightVM and Nexpose customers can use authenticated vulnerability checks released November 16, 2022, to assess exposure.
## References
- Vendor Advisory (K94221585): https://support.f5.com/csp/article/K94221585
- Vendor Advisory (K13325942): https://support.f5.com/csp/article/K13325942
- Vendor Product Information: https://www.f5.com/products