F5 iControl REST and TMOS Shell Incorrect Permission Assignment Vulnerability Allowing Sensitive Information Disclosure

A vulnerability exists in iControl REST and the TMOS shell (tmsh) due to incorrect permission assignments in an undisclosed command. This vulnerability may enable an authenticated attacker to access sensitive information. The issue is limited to the control plane and does not involve data plane exposure.

Impact

Exploitation of this vulnerability could allow an authenticated attacker to view sensitive information through iControl REST or tmsh commands.

Remediation

Users can block access to the iControl REST interface through self IP addresses by changing the Port Lockdown setting to 'Allow None' for each self IP address. If necessary, custom options can be used to disallow access to iControl REST while opening other ports. For management interfaces, access should be restricted to trusted users and devices over secure networks. Similar measures can be applied to SSH access through self IP addresses or the management interface.