BIG-IP iControl REST API Authentication Bypass

Credit: Yann Lehmann iControl REST is an evolution of F5 iControl framework. Leveraging this Representational State Transfer (REST) API, an authenticated user can accomplish anything that can be accomplished from the F5 BIG-IP command line. It is an extremely powerful API. On May 04, 2022, F5 disclosed a critical CVE, CVE-2022-1388. It may allow an unauthenticated attacker with network access to the management port or the self IP addresses of the BIG-IP system to leverage the iControl REST component. This is because some requests to iControl REST can directly bypass the authentication mechanism. Due to the capabilities of this component, anyone with network access to the management port or the self IP addresses can execute arbitrary system commands and modify services or files. From the nature of the iControl rest component, this is a control plane vulnerability that does not expose the data plane. For additional details on how to identify what could be your impacted systems, please review the attached advisory. Would you need further assistance, please ask the Cyber Fusion Center by using the MSS Portal or by phone: North America: 1-866-929-3528 EMEA: +41 58 317 77 77 Kind regards, The Cyber Fusion Center