F5 BIG-IP and BIG-IQ Appliance Mode iControl REST Directory Traversal Vulnerability Allowing File Deletion

A directory traversal vulnerability has been identified in an undisclosed iControl REST endpoint within F5 BIG-IP and BIG-IQ products, when running in Appliance mode. This vulnerability allows an authenticated attacker with administrator privileges to cross security boundaries and delete files. The issue is present in BIG-IP versions 21.0.0, 17.5.0 through 17.5.1, and 17.1.0 through 17.1.3, as well as all BIG-IQ Centralized Management versions. In Appliance mode, the vulnerability can be exploited by authenticated attackers with network access to the affected iControl REST endpoint through the BIG-IP management port or self IP addresses.

Impact

Exploitation of this vulnerability could lead to unauthorized file deletion by an authenticated attacker with administrator privileges.

Remediation

Users can upgrade to BIG-IP versions 17.5.1.6 or 17.1.3.2, both of which include the necessary fix. For BIG-IP 21.0.0, the hotfix version 21.0.0.2 is available. If using BIG-IQ, no specific version is mentioned, but users should consult the F5 product and services lifecycle policy index for guidance.