F5 BIG-IP and BIG-IQ iControl REST Vulnerability Allowing Arbitrary Command Execution

A vulnerability in the iControl REST API of F5 BIG-IP and BIG-IQ systems allows authenticated attackers with Manager role privileges to create configuration objects that execute arbitrary commands. This issue is present in BIG-IP versions 17.5.0 to 17.5.1, 17.1.0 to 17.1.3, and 21.0.0, as well as in all BIG-IQ versions. The vulnerability arises from an incorrect use of privileged APIs, enabling potential privilege escalation or bypassing Appliance mode restrictions, particularly in BIG-IP appliance mode deployments where it can cross a security boundary.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of commands, allowing a privileged attacker to escalate privileges, bypass Appliance mode restrictions, and cross security boundaries in BIG-IP appliance mode deployments.

Remediation

Users can upgrade to BIG-IP versions 17.5.1.6, 17.1.3.2, or 21.0.0.2, all of which include the necessary fix. For BIG-IQ users, no specific version is mentioned, but it's advisable to consult the F5 product and services lifecycle policy index for guidance.