F5 BIG-IP and BIG-IQ iControl SOAP Vulnerability Allowing Sensitive File Download

A vulnerability in the iControl SOAP interface of F5 BIG-IP and BIG-IQ systems allows authenticated attackers with Resource Administrator or Administrator roles to download sensitive files. This issue affects several versions of BIG-IP and is a control plane problem, with no exposure on the data plane. The vulnerability arises from inadequate restrictions on file access, enabling authorized users to retrieve confidential information through the iControl SOAP API.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files, potentially including confidential configuration data or other critical information managed through the BIG-IP or BIG-IQ platforms.

Remediation

Users can upgrade to versions 21.0.0.2, 17.5.1.6, or 17.1.3.2, depending on their current version. For BIG-IP systems, access to the iControl SOAP API should be restricted to trusted users, and if the API is not in use, all access can be disabled. For more information about managing BIG-IP product hotfixes, refer to the F5 article K13123.