A recent XML External Entity (XXE) vulnerability, dubbed CVE-2022-23031, has been discovered affecting BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4. F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI) are impacted by this vulnerability, specifically in an undisclosed page of the TMUI/Configuration utility.

The vulnerability allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests. In this post, we'll provide details about this exploit, including code snippets, links to references, and how to mitigate this security issue.

Exploit Details

The XXE vulnerability allows an attacker to exploit an application's XML parsing features leading to the unauthorized disclosure of data, service disruptions, or server-side request forgery.

To exploit this vulnerability, an attacker needs to be authenticated and have high privileges to access and manipulate the vulnerable TMUI/Configuration utility, using malicious XML data containing external entities that target local file structures or attempt to send unauthorized HTTP requests.

An example of an XML payload to exploit this vulnerability is shown below

<?xml version="1." encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>

By injecting this payload into the undisclosed page of TMUI/Configuration utility, an attacker could gain access to sensitive information such as the contents of sensitive local files like "/etc/passwd".

References

For more details about this vulnerability and official advisories, please refer to the following links:

1. F5 Security Advisory: K60645570: F5 Advanced WAF and BIG-IP ASM vulnerability CVE-2022-23031
2. MITRE's CVE details: CVE-2022-23031
3. NIST NVD: CVE-2022-23031 Detail

Mitigation Steps

F5 has released software updates that address this vulnerability. Users should upgrade their affected BIG-IP FPS, ASM, and Advanced WAF systems to the following versions:

14.1.x users should upgrade to 14.1.4.4 or later.

Note: Software versions that have reached End of Technical Support (EoTS) are not evaluated, and users running EoTS versions should consider upgrading their systems to a supported version.

In addition to upgrading, users can implement security measures like

1. Restricting access to the TMUI/Configuration utility to trusted users, networks, and devices.

Conclusion

The CVE-2022-23031 vulnerability poses a significant threat to the security of BIG-IP FPS, ASM, and Advanced WAF systems. By understanding the exploit details, references, and applying the recommended mitigation steps, organizations can protect their systems and sensitive information from this security issue.

Timeline

Published on: 01/25/2022 20:15:00 UTC
Last modified on: 02/01/2022 19:11:00 UTC