K000137522 : BIG-IP iControl REST vulnerability CVE-2024-22093

Security Advisory Description

When running in Appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint on multi-bladed systems. A successful exploit can allow the attacker to cross a security boundary. (CVE-2024-22093)

Impact

This vulnerability affects only BIG-IP systems running in Appliance mode.

An authenticated attacker with administrator or resource administrator role privileges and network access to the affected iControl REST endpoint through the BIG-IP management port or self IP addresses can execute arbitrary system commands and create or delete files. The vulnerability allows the bypass of Appliance mode security on BIG-IP systems by allowing the authenticated attacker to execute arbitrary Advanced Shell (bash) commands. There is no data plane exposure; this is a control plane issue only.

Appliance mode is enforced by a specific license or may be enabled or disabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances. For more information about Appliance mode, refer to K12815: Overview of Appliance mode.