Please ensure Javascript is enabled for purposes of website accessibility
Portal oficial del Gobierno de Puerto Rico. 
Un sitio web oficial .pr.gov pertenece a una organización oficial del Gobierno de Puerto Rico.
Los sitios web seguros .pr.gov usan HTTPS, lo que significa que usted se conectó de forma segura a un sitio web.

TECNOLOGÍA

Gobierno de Puerto Rico

Alerta de ciberseguidad

Puerto Rico Innovation & Technology Service

Date:

May 5, 2022

Multiple Vulnerabilities in F5Networks Products Could Allow for Arbitrary Code Execution - PATCH: NOW -

Gobierno:
High
Medium
Low
Negocios:
High
Medium
Low
Hogar:
High
Medium
Low

Multiple vulnerabilities have been discovered in F5Networks products, the most severe of which could result in arbitrary code execution.

  • BIG-IP is a family of products covering software and hardware designed around application availability, access control, and security solutions.
  • Traffix SDC is a product that provides load balancing and gateway connectivity.
  • Big-IQ Centralized Management tracks assets and manages policies for BIG-IP products.
  • F5 Access for Android is an Android application that allows users to access enterprise networks and applications.
  • BIG-IP Guided Configuration is a products that provides a way to deploy configurations of BIP-IP APM and Advanced WAF.
  • The F5OS-A is the operating system software for the F5 rSeries system.
  • NGINX Service Mesh is a product that allows for traffic control of distributed systems.
  • BIG-IP APM provides access control and authentication for applications.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

SYSTEMS AFFECTED:

  • F5 BIG-IP 11.6.1 - 11.6.5
  • F5 BIG-IP 12.1.0 - 12.1.6
  • F5 BIG-IP 13.1.0 - 13.1.5
  • F5 BIG-IP 14.1.0 - 14.1.4
  • F5 BIG-IP 15.1.0 - 15.1.5
  • F5 BIG-IP 16.1.0 - 16.1.2
  • F5 Traffix SDC 5.1.0 – 5.2.0
  • Big-IQ Centralized Management 8.0.0 -8.2.0
  • Big-IQ Centralized Management 7.0.0 -7.1.0
  • F5 F5OS-A 1.0.0
  • F5 Access For Android 3.0.6 - 3.0.7
  • NGINX Service Mesh 1.3.0 - 1.3.1
  • BIG-IP Guided Configuration
  • BIG-IP APM Clients 7.1.8 - 7.2.1

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: Medium

 

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in F5Networks products, the most severe of which could allow for remote code execution by an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses. Details of these vulnerabilities are as follows:

  • A vulnerability in BIG-IP allows for remote code execution(CVE-2022-1388)
  • A vulnerability in BIG-IP allows an authenticated user to run a limited set of commands (ping, traceroute, WOM diagnostics) (CVE-2022-1389)
  • Multiple vulnerabilities in BIG-IP allow users to bypass Appliance mode restrictions (CVE-2022-25946, CVE-2022-27806, CVE-2022-26415)
  • Multiple vulnerabilities in BIG-IP allow for XSS (CVE-2022-28707, CVE-2022-28716, CVE-2022-27878)
  • Multiple vulnerabilities in BIG-IP allow for privilege escalation (CVE-2022-29263, CVE-2022-28714, CVE-2022-27634)
  • Multiple vulnerabilities in BIG-IP allow for denial-of-service (CVE-2022-26372, CVE-2022-27189, CVE-2022-27230, CVE-2022-28691, CVE-2022-29491, CVE-2022-28705, CVE-2022-26890, CVE-2022-28701, CVE-2022-29473, CVE-2022-26370, CVE-2022-26517, CVE-2022-28706, CVE-2022-28708, CVE-2022-26130, CVE-2022-29480, CVE-2022-29479, CVE-2022-27182, CVE-2022-27181, CVE-2022-1468)
  • A vulnerability in BIG-IP allows for a SAD DNS attack (CVE-2022-26071)
  • A vulnerability in BIG-IP allows for remote code execution by a privileged, authenticated attacker (CVE-2022-28695)
  • Multiple vulnerabilities in BIG-IP allow for authentication bypass (CVE-2022-28859, CVE-2022-27659, CVE-2022-26340)
  • Multiple vulnerabilities in BIG-IP allow for information disclosure (CVE-2022-27636, CVE-2022-26835, CVE-2022-29474)
  • A vulnerability in F5 Access for Android allows for information disclosure (CVE-2022-27875)
  • A vulnerability in F5OS-A allows for information disclosure (CVE-2022-25990)
  • A vulnerability in NGINX Service Mesh allows for authentication bypass that results in the attacker being able to affect traffic policies (CVE-2022-27495)
  • Multiple vulnerabilities in Traffix SDC allow for XSS (CVE-2022-27662, CVE-2022-27880)
  • Multiple vulnerabilities in BIG-IQ Centralized Management allows for authentication bypass (CVE-2022-26340)
  • Multiple vulnerabilities in BIG-IQ Centralized Management allows for denial of service (CVE-2022-29479)
  • A vulnerability in BIG-IP APM Clients allows for information disclosure (CVE-2022-27636)
  • Multiple Vulnerabilities in BIG-IP APM Clients allow for privilege escalation (CVE-2022-28714, CVE-2022-29263)
  • Multiple Vulnerabilities in BIG-IP Guided Configuration allow for XSS (CVE-2022-27878, CVE-2022-27230)
  • Multiple vulnerabilities in BIG-IP Guided Configuration allow users to bypass Appliance mode restrictions (CVE-2022-25946, CVE-2022-27806)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches or appropriate mitigations provided by F5 to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services

REFERENCES:

F5:
https://support.f5.com/csp/article/K55879220

CVE: 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1389
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1468
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25946
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25990
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26071
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26340
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26370
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26372
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26415
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26517
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26890
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27182
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27189
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27230
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27495
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27634
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27659
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27875
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27878
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27880
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28691
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28695
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28701
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28705
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28706
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28707
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28708
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28714
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28716
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28859
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29473
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29474
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29479
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29480
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29491

Dirección Física
360 Calle Ángel Buonomo
San Juan, 00918
Contáctenos
info@prits.pr.gov(939) 992-2200
PR.gov
Accesibilidad PRITS-043021-PRITS
Conforme a la Ley 229 de 2003
Política de PrivacidadOficina del Inspector General (OIG)

Cualquier ciudadano puede informar sobre irregularidades en el uso de fondos públicos o que puedan representar el delito de fraude o actos de corrupción pública.  Envié un correo electrónico a informa@oig.pr.gov o presente su queja a través de https://www.oig.pr.gov/informa. También puede comunicarse con la línea confidencial de la Oficina del Inspector General (OIG) al 787-679-7979. El denunciante está protegido por ley contra represalias por presentar una queja.

© 2024 Puerto Rico Innovation & Technology Service. Todos los derechos reservados.
Página desarrollada por 
Logo de PRITS