F5 BIG-IP and BIG-IQ Incorrect Permission Assignment Vulnerability in iControl REST and tmsh Commands Allowing Network Information Disclosure

A vulnerability exists in F5 BIG-IP and BIG-IQ due to incorrect permission assignments in the TMOS Shell (tmsh) arp and ndp commands, as well as in BIG-IP iControl REST. This vulnerability may enable an authenticated attacker to access adjacent network information. Notably, this issue affects only versions that have not reached End of Technical Support (EoTS).

Impact

Exploitation of this vulnerability allows an authenticated attacker to view adjacent network information. In BIG-IP, the vulnerability can be exploited remotely via iControl REST or locally through tmsh. For BIG-IQ, exploitation is possible only through tmsh.

Remediation

Users can upgrade to a fixed version. For BIG-IP, versions 21.0.0.2, 17.5.1.6, and 17.1.3.2 are available. For BIG-IQ, no specific version is listed, but users can refer to the F5 BIG-IQ hotfix and point release matrix for guidance. Until a fixed version is installed, access to iControl REST and tmsh can be restricted to trusted networks or devices.