F5 BIG-IP Information Leak Vulnerability via iControl REST

A vulnerability exists in F5 BIG-IP systems that allows an authenticated attacker to leak information about local user account names. This issue arises from undisclosed requests made by the attacker to the iControl REST interface, accessible through the BIG-IP management interface and self IP addresses. The vulnerability affects several versions of BIG-IP, specifically in the 21.x, 17.x, and 16.x branches, as well as BIG-IQ Centralized Management.

Impact

Exploitation of this vulnerability could result in unauthorized access to usernames of local accounts on the BIG-IP system, potentially aiding in further attacks or exploitation.

Remediation

Users can upgrade to BIG-IP versions 21.0.0.2, 17.5.1.6, or 17.1.3.2 to address this vulnerability. For those on BIG-IP 16.x, no fix is available, and it is recommended to upgrade to a version with the fix. Until a fixed version is installed, access to the iControl REST interface can be restricted through self IP addresses or the management interface, limiting exposure to trusted networks or devices.