A crucial vulnerability (CVE-2022-23023) has been identified in BIG-IP version 16.1.x before 16.1.2.1, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5 and all versions of 13.1.x, 12.1.x, as well as BIG-IQ all versions of 8.x and 7.x. This vulnerability, when exploited, could result in an increase in memory resource utilization, potentially causing performance degradation and denial of service. This article explores the details of the vulnerability, including its potential impact, sample code snippets, links to original references, and how to remediate the vulnerability.

Exploit Details

This vulnerability occurs when an authenticated iControl REST user sends undisclosed requests, causing an increase in memory resource utilization on the affected BIG-IP and BIG-IQ software versions. While the issue has been reported on all versions of 13.1.x and 12.1.x, it should be noted that these software versions have already reached End of Technical Support (EoTS) and have not been evaluated.

The Common Vulnerability Scoring System (CVSS) score for this vulnerability varies between 6.3 and 6.7, depending on the ease of exploitation. This CVSS score indicates that the vulnerability has a moderate impact and should be addressed promptly.

Here's an example of how an attacker could exploit this vulnerability

import requests
import json

TARGET_URL = "https://target_big_ip_address/mgmt/tm";
USERNAME = "icontrol_rest_user"
PASSWORD = "icontrol_rest_password"

# Login
auth_data = {
    "username": USERNAME,
    "password": PASSWORD
}

response = requests.post(TARGET_URL + "/auth", data=json.dumps(auth_data))
auth_token = response.json()["token"]["token"]

# Send a crafted request that causes memory resource utilization issue
headers = {
    "Content-Type": "application/json",
    "X-F5-Auth-Token": auth_token
}

params = {
    "undisclosed_query": "any_value_here"
}

response_2 = requests.get(TARGET_URL + "/tm/fake_endpoint", headers=headers, params=params)

This code snippet demonstrates how an attacker, with access to an iControl REST user account, can exploit the vulnerability using undisclosed requests.

The following resources provide more information regarding the vulnerability

- F5 Security Advisory: https://support.f5.com/csp/article/K36148282
- CVE-2022-23023: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23023

Remediation

F5 Networks has released patches for the affected software versions, and users are strongly advised to update their systems as soon as possible. The following patches resolve the vulnerability:

For BIG-IP 14.1.x, upgrade to version 14.1.4.5

As a precautionary measure, iControl REST user access should be restricted to the least number of privileges required to minimize potential impact.

Conclusion

CVE-2022-23023 is a memory resource utilization vulnerability in several BIG-IP and BIG-IQ software versions. Organizations using affected versions should begin taking steps to remediate the vulnerability and prevent potential exploitation. To stay informed about emerging cybersecurity threats and vulnerabilities, monitor news sources and follow best practices for securing your network.

Timeline

Published on: 01/25/2022 20:15:00 UTC
Last modified on: 02/01/2022 18:22:00 UTC