F5OS-A FIPS HSM Password Vulnerability Allowing OS Command Injection

A vulnerability exists in the F5OS-A operating system on rSeries hardware equipped with a FIPS hardware security module (HSM). When initializing the HSM, using a password that includes special shell metacharacters can cause the HSM to fail to initialize. This issue could allow an authenticated attacker with Admin or Resource Admin privileges to execute arbitrary system commands during the HSM initialization process. Such command execution could lead to unauthorized file manipulation, service disruption, or bypassing of Appliance Mode. Notably, this vulnerability is confined to the control plane, with no exposure in the data plane.

Impact

Exploitation of this vulnerability could enable an authenticated attacker to inject and execute arbitrary commands at the operating system level during the FIPS HSM initialization process. This could result in unauthorized file creation or deletion, disruption of services, or a bypass of the Appliance Mode functionality.

Remediation

To address this vulnerability, users are advised to avoid using special shell characters in passwords when initializing the FIPS HSM. For those running F5OS-A versions 1.8.0 or 1.5.1 through 1.5.3, upgrading to version 1.8.3 or 1.5.4 is recommended.