CVE-2022-35735 in BIG-IPinfo

Summary

by MITRE • 08/04/2022

In BIG-IP Versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, an authenticated attacker with Resource Administrator or Manager privileges can create or modify existing monitor objects in the Configuration utility in an undisclosed manner leading to a privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 08/05/2022

This vulnerability exists within F5 BIG-IP application delivery controllers and represents a critical privilege escalation flaw affecting multiple major versions including 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all 13.1.x versions. The vulnerability specifically targets the Configuration utility's monitor object management functionality and allows authenticated attackers who possess either Resource Administrator or Manager privileges to manipulate existing monitor objects through undisclosed modification mechanisms. This flaw falls under CWE-269: "Improper Privilege Management" and represents a significant deviation from the principle of least privilege in security architecture. The vulnerability stems from inadequate access controls and validation mechanisms within the BIG-IP configuration interface, particularly concerning how monitor objects are handled during creation and modification processes. The affected system components include the Configuration utility's object management layer and the underlying privilege validation systems that should prevent unauthorized modifications to critical monitoring configurations.

The operational impact of this vulnerability extends beyond simple privilege escalation as it enables attackers to manipulate network monitoring and health check configurations that directly influence application delivery and service availability. When an attacker successfully exploits this vulnerability, they can potentially modify monitor objects to bypass critical health checks, create false positive results, or manipulate service discovery mechanisms. This manipulation can lead to service disruption, application availability issues, and potential data exposure through altered monitoring behavior that may mask actual security incidents. The attack vector requires an authenticated session with Resource Administrator or Manager privileges, which aligns with ATT&CK technique T1078.004: "Valid Accounts: Cloud Accounts" and T1484.001: "Group Policy Modification: Domain Policy" in the context of internal privilege escalation within network infrastructure. The vulnerability essentially allows attackers to modify critical infrastructure monitoring components that govern how services are monitored and managed, creating a persistent backdoor or attack surface that can be leveraged for further compromise.

Organizations affected by this vulnerability should immediately implement the vendor-provided patches for their specific BIG-IP version ranges, as these updates address the underlying access control flaws in the Configuration utility's monitor object handling. Security teams must also conduct comprehensive audits of existing monitor configurations to identify any unauthorized modifications that may have occurred prior to patching. Network segmentation and privilege management should be reviewed to ensure that Resource Administrator and Manager roles are properly restricted and that the principle of least privilege is maintained. The vulnerability demonstrates the importance of proper input validation and access control mechanisms in configuration management interfaces, particularly for critical infrastructure components. Organizations should also consider implementing additional monitoring for configuration changes and establishing baseline configurations to detect unauthorized modifications. The flaw highlights the need for robust security testing of administrative interfaces and proper privilege validation mechanisms that prevent authenticated users from performing unauthorized operations within critical system components. This vulnerability serves as a reminder of the importance of maintaining up-to-date security patches and the potential consequences of allowing privileged accounts to have excessive modification capabilities within core infrastructure systems.

Responsible

F5 Networks

Reservation

07/19/2022

Disclosure

08/04/2022

Moderation

accepted

CPE

ready

EPSS

0.00760

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!