CVE-2022-23031 in BIG-IP FPSinfo

Summary

by MITRE • 01/25/2022

On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 01/28/2022

This vulnerability represents a critical XML External Entity (XXE) flaw in F5 BIG-IP systems that affects multiple product lines including the F5 Advanced Web Application Firewall, BIG-IP Application Security Manager, and the Traffic Management User Interface. The vulnerability exists in an undisclosed page within the configuration utility that handles XML processing, creating a pathway for authenticated attackers with high-privileged access to exploit the system. The flaw stems from insufficient input validation and improper handling of external entity references within XML parsing routines, allowing attackers to manipulate XML requests to access local system resources. This vulnerability aligns with CWE-611 which specifically addresses improper restriction of XML external entity reference and falls under the ATT&CK technique T1059.007 for input validation bypass and T1566.001 for credential access through network service manipulation.

The technical impact of this vulnerability enables a sophisticated attacker to perform local file inclusion attacks, allowing them to read arbitrary files from the system filesystem. The attacker can leverage this capability to access sensitive configuration files, credential stores, and other system resources that should remain protected. Additionally, the vulnerability permits the attacker to force the BIG-IP system to make HTTP requests to arbitrary destinations, potentially enabling further exploitation such as internal network reconnaissance or exploitation of other systems within the network perimeter. This dual capability of file reading and remote HTTP request forcing creates a significant attack surface that can be leveraged for information gathering and privilege escalation within the network infrastructure.

The operational impact of CVE-2022-23031 extends beyond simple data theft, as it can facilitate comprehensive network reconnaissance and lateral movement within environments where BIG-IP systems are deployed. Organizations with unpatched systems face potential exposure of sensitive corporate data, including application credentials, configuration details, and system information that could be used to plan further attacks. The vulnerability's requirement for authenticated high-privileged access means that internal threat actors or attackers who have already compromised administrative credentials pose a significant risk. This makes the vulnerability particularly dangerous in environments where privileged access is not properly segmented or where credential compromise occurs through social engineering, phishing, or other attack vectors. The attack vector involves exploiting the TMUI interface through legitimate administrative sessions, making detection more challenging as the activity appears to originate from authorized administrative accounts.

Organizations should immediately implement the vendor-provided security patches for versions 16.1.1, 15.1.4, and 14.1.4.4 across all affected BIG-IP systems to remediate this vulnerability. Network segmentation should be enhanced to limit access to the TMUI interface to only necessary administrative personnel, with strict access controls and multi-factor authentication required. Monitoring should be implemented to detect unusual patterns of file access or outbound HTTP requests from BIG-IP systems, particularly during administrative sessions. Security teams should conduct comprehensive vulnerability assessments to identify all instances of affected software versions and ensure that proper network access controls are in place to limit exposure. Additionally, regular security awareness training should be provided to administrative users to reduce the risk of credential compromise that could enable exploitation of this vulnerability. The remediation process should include thorough testing of patches in non-production environments before deployment to ensure system stability and prevent potential service disruptions.

Reservation

01/10/2022

Disclosure

01/25/2022

Moderation

accepted

CPE

ready

EPSS

0.00834

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!