CVE-2022-41622 and CVE-2022-41800 Exploit Detection: RCE Vulnerabilities in F5 BIG-IP and BIG-IQ Products

F5 Networks has recently released security advisories addressing two high-severity flaws discovered in the company’s BIG-IP and BIG-IQ products in August 2022. In late spring 2022, the company was exposed to similar security risks facing a set of in-the-wild exploitation attempts of the CVE-2022-1388 vulnerability in iControl REST, which allowed threat actors to perform remote code execution (RCE). 

To timely protect their customers from an unauthenticated RCE, F5 has issued hotfixes for the earlier discovered high-severity flaws covered in the corresponding advisories. These vulnerabilities with a CVSS score higher than 8 tracked as CVE-2022-41622 and CVE-2022-41800 are revealed in F5 BIG-IP and BIG-IQ products and can potentially lead to a full system compromise.  

Detect CVE-2022-41622 and CVE-2022-41800 Exploitation Attempts

Named One of Fortune’s 2019 World’s Most Admired Companies, F5 Network is trusted by global organizations in multiple industries, which exposes them to severe risks in the case of exploitation of high-severity vulnerabilities found in the company’s products. To identify potential attacks against organizational infrastructure, security practitioners require relevant detections for  CVE-2022-41622, CVE-2022-41800 exploitation attempts. SOC Prime Detection as Code platform has recently released a set of Sigma rules for these vulnerabilities by our keen Threat Bounty developer Nattatorn Chuensangarun:

F5 BIG-IP Signature Detection for Appliance Mode iControl REST Vulnerability [CVE-2022-41800]

F5 BIG-IP Signature Detection for iControl SOAP Vulnerability [CVE-2022-41622]

The detections can be used across 13 SIEM, EDR, and XDR technologies and are aligned with the MITRE ATT&CK® framework addressing the Initial Access and Lateral Movement tactics with the corresponding Exploit Public-Facing Application (T1190) and Exploitation of Remote Services (T1210) techniques.

Eager to join collective cyber defense forces and earn money while making the world a safer place? Register for our Threat Bounty Program, publish exclusive Sigma rules to the largest threat detection marketplace, hone your Detection Engineering skills, and connect with industry experts while receiving financial benefits for your input.

Hit the Explore Detections button to instantly access Sigma rules to detect exploits for emerging and existing vulnerabilities, accompanied by CTI links, ATT&CK references, and threat hunting ideas.

Explore Detections

RCE Vulnerabilities in F5 Products: Description & Mitigation

F5 Networks is an industry-leading company in Application Delivery Networking delivering multi-cloud and security application services for on-premises, cloud, or edge environments. In March 2022, the vendor was already challenged with addressing a set of security issues revealed in its BIG-IP and BIG-IQ products causing RCE on the vulnerable instances. 

On August 18, 2022, Rapid7 cybersecurity researchers were the first to uncover and report the new high-severity vulnerabilities in F5 BIG-IP and BIG-IQ products identified as CVE-2022-41622 and CVE-2022-41800. The uncovered RCE vulnerabilities were detailed in the corresponding F5’s November advisory providing an overview of the security flaws and their impact along with potential mitigation and remediation measures. F5 describes the identified RCE vulnerabilities as follows:

  • CVE-2022-41622 a high-severity vulnerability with a CVSS score of 8.8 enabling attackers to perform RCE in F5 Big-IP’s SOAP API via CSRF;
  • CVE-2022-41800 an Appliance mode iControl REST vulnerability with CVSS score of 8.7) enabling threat actors with an Administrator role to bypass Appliance mode privileges and perform RCE via RPM Spec Injection.

According to Rapid7 cybersecurity research, by exploiting the CVE-2022-41622, which is the most dangerous out of the revealed security holes, threat actors can gain persistent root access to the management interface of the vulnerable device, which can result in a complete system compromise. In addition to the above-mentioned security bugs, Rapid7 also revealed a set of bypasses of security controls, including a local privilege escalation via bad UNIX socket permissions tracked as ID1145045 along with two SELinux bypasses via incorrect file context (ID1144093) and via command injection in an update script (ID1144057).

As mitigation measures, F5 recommends that potentially affected users secure access to the BIG-IP and BIG-IQ management interfaces and make sure that only trusted users can gain access to these environments. 

Stay one step ahead of attackers with curated detection content against any critical threat or any exploitable CVE. Reach 800 rules for current and emerging CVEs to timely identify the risks in your infrastructure. Get 140+ Sigma rules for free or obtain the comprehensive list of relevant detection content via On Demand at https://my.socprime.com/pricing/.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts