F5 Networks BIG-IP : iControl REST vulnerability (K44885536)

high Nessus Plugin ID 126403

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

Undisclosed iControl REST worker is vulnerable to command injection by an administrator or resource administrator user. This attack is only exploitable on multi-bladed systems.

Thevulnerability allows bypass of Appliance mode security on BIG-IP systems by allowing the execution of arbitrary Advanced Shell (bash) commands. Insystems without Appliance mode security,the administrator andresource administrator users will likely have this level of access already. F5 considers this a security concern mostly for systems deployed in Appliance mode, but it's also a valid attack vector for users that do not already have bash access granted. For example, a resource administrator whodoes not already have bash access explicitly granted in the user configuration can be exploited as an attack vector. (CVE-2019-6622)

Impact

A remote attacker can exploit the vulnerability byexecutingarbitrary bash commands on a vulnerable multi-bladed system.

Solution

Upgrade to one of the non-vulnerable versions listed in the F5 Solution K44885536.

See Also

https://my.f5.com/manage/s/article/K44885536

Plugin Details

Severity: High

ID: 126403

File Name: f5_bigip_SOL44885536.nasl

Version: 1.8

Type: local

Published: 7/2/2019

Updated: 11/2/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2019-6622

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:f5:big-ip_access_policy_manager, cpe:/a:f5:big-ip_advanced_firewall_manager, cpe:/a:f5:big-ip_application_acceleration_manager, cpe:/a:f5:big-ip_application_security_manager, cpe:/a:f5:big-ip_application_visibility_and_reporting, cpe:/a:f5:big-ip_domain_name_system, cpe:/a:f5:big-ip_global_traffic_manager, cpe:/a:f5:big-ip_link_controller, cpe:/a:f5:big-ip_local_traffic_manager, cpe:/a:f5:big-ip_policy_enforcement_manager, cpe:/a:f5:big-ip_webaccelerator, cpe:/h:f5:big-ip

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version

Exploit Ease: No known exploits are available

Patch Publication Date: 7/1/2019

Vulnerability Publication Date: 7/2/2019

Reference Information

CVE: CVE-2019-6622