F5 iControl REST and TMOS Shell Vulnerability Allowing Arbitrary Command Execution

A vulnerability exists in iControl REST and the TMOS Shell (tmsh) that allows a highly privileged, authenticated attacker with at least the Manager role to create configuration objects enabling the execution of arbitrary commands. This issue is present in BIG-IP versions 21.0.0, 17.5.0 through 17.5.1, and 17.1.0 through 17.1.3, as well as in BIG-IQ Centralized Management. The vulnerability arises from a least privilege violation, allowing unauthorized command execution and file manipulation.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of system commands and manipulation of files on the affected system.

Remediation

Users can upgrade to BIG-IP versions 17.5.1.6, 17.1.3.2, or 21.0.0.2, depending on their current version. For BIG-IQ Centralized Management, no update is currently available, and users are advised to upgrade to a version with the fix. Until a fixed version can be installed, access to iControl REST and the BIG-IP command line through SSH can be restricted to trusted networks or devices.