F5 BIG-IP and BIG-IQ Privilege Escalation Vulnerability Allowing Arbitrary Command Execution

A vulnerability exists in F5 BIG-IP and BIG-IQ systems, specifically in versions of BIG-IP 21.0.0, 17.5.0 through 17.5.1, 17.1.0 through 17.1.3, and BIG-IQ 8.4.0 through 8.4.1. This vulnerability allows a highly privileged, authenticated attacker with the Certificate Manager role to modify configuration objects that can execute arbitrary commands. On BIG-IP systems, this could bypass Appliance mode restrictions, crossing a security boundary in such deployments. The vulnerability is a control plane issue, with no exposure on the data plane.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of system commands, allowing the attacker to create or delete files. On BIG-IP systems, it could also bypass Appliance mode restrictions, crossing a security boundary in such deployments.

Remediation

Users can upgrade to BIG-IP versions 21.0.0.2, 17.5.1.6, or 17.1.3.2. For BIG-IQ, version 8.4.1 is recommended. If immediate upgrade is not possible, access can be restricted to the BIG-IP or BIG-IQ Configuration utility and command line through SSH, limiting the attack surface. Trusted networks or devices can be used to block access through self IP addresses or the management interface.