BIG-IP and BIG-IQ Privilege Escalation Vulnerability Allowing Arbitrary Command Execution

A vulnerability exists in BIG-IP and BIG-IQ systems, where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects to execute arbitrary system commands. This issue affects BIG-IP versions 16.1.0 to 16.1.6, 17.1.0 to 17.1.3, and 21.0.0, as well as BIG-IQ versions 8.4.0 to 8.4.1. The vulnerability may be exploited by attackers with network access to the management port or self IP addresses, potentially bypassing Appliance mode restrictions on BIG-IP systems.

Impact

Exploitation allows arbitrary command execution, file creation or deletion, and on BIG-IP systems, bypassing Appliance mode restrictions, which can cross security boundaries.

Remediation

Users can upgrade to BIG-IP versions 17.5.1.6, 17.1.3.2, or 21.0.0.2. For BIG-IQ, upgrade to version 8.4.1. If an immediate upgrade is not possible, access can be restricted to the BIG-IP or BIG-IQ Configuration utility and command line through SSH, limiting the attack surface.