F5 BIG-IP and BIG-IQ Incorrect Permission Assignment Vulnerability in Network Diagnostics Commands

A vulnerability allowing incorrect permission assignment has been identified in F5 BIG-IP and BIG-IQ. This issue exists within the TMOS Shell (tmsh) network diagnostics commands and the BIG-IP iControl REST interface. The vulnerability may enable an authenticated attacker to view the network status of destination systems. It is important to note that this vulnerability does not affect versions that have reached End of Technical Support (EoTS).

Impact

Exploitation of this vulnerability could allow an authenticated attacker to access and view the network status of destination systems. In BIG-IP, this can be done remotely through iControl REST or locally via tmsh. For BIG-IQ, the vulnerability is only exploitable through tmsh.

Remediation

Users can upgrade to a version that includes the fix for this vulnerability. For BIG-IP, this is version 17.5.1.6 or 21.0.0.2. For BIG-IQ, no specific version is mentioned, but users should consult the F5 BIG-IQ hotfix and point release matrix for guidance. Until the fixed version is installed, access to iControl REST and tmsh can be restricted to trusted networks or devices.