Rewterz Threat Alert – Donot APT Group – Active IOCs

January 20, 2022

Rewterz Threat Alert – Conti Ransomware Group Attacks Indonesia’s Central Bank – Fresh IOCs

January 21, 2022

Rewterz Threat Advisory – Multiple F5 BIG-IP Vulnerabilities

January 21, 2022

Severity

High

Analysis Summary

CVE-2022-23028

F5 BIG-IP is vulnerable to a denial of service, caused by a flaw when global AFM SYN cookie protection (TCP Half Open flood vector) is activated. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.

CVE-2022-23029

F5 BIG-IP is vulnerable to a denial of service, caused by a flaw when a FastL4 profile is configured on a virtual server. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause an increase in memory resource utilization.

CVE-2022-23030

F5 BIG-IP is vulnerable to a denial of service, caused by a flaw When the BIG-IP Virtual Edition (VE) uses the ixlv driver and TCP Segmentation Offload configuration is enable. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause an increase in CPU resource utilization.

CVE-2022-23031

F5 BIG-IP could allow a remote authenticated attacker to obtain sensitive information, caused by an XML External Entity (XXE) in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI). By sending a specially-crafted file, a remote attacker could exploit this vulnerability to read local files and force BIG-IP to send HTTP requests.

CVE-2022-23032

F5 BIG-IP could allow a remote attacker to obtain sensitive information, caused by a DNS rebinding attack when proxy settings are configured in the network access resource of a BIG-IP APM system. By sending a specially-crafted request, an attacker could exploit this vulnerability to exfiltrate proxy configuration details.

CVE-2022-23023

F5 BIG-IP is vulnerable to a denial of service, caused by a flaw in iControl REST. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause an increase in memory resource utilization.

CVE-2022-23024

F5 BIG-IP is vulnerable to a denial of service, caused by a flaw when the IPsec application layer gateway (ALG) logging profile is configured on an IPsec ALG virtual server. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the Traffic Management Microkernel (TMM) to terminate.

CVE-2022-23025

F5 BIG-IP is vulnerable to a denial of service, caused by a flaw when a SIP ALG profile is configured on a virtual server. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause the Traffic Management Microkernel (TMM) to terminate.

CVE-2022-23026

F5 BIG-IP is vulnerable to a denial of service caused by a flaw in the REST API endpoint. By sending a specially-crafted request, an attacker could exploit this vulnerability to upload data to cause an increase in disk resource utilization.

CVE-2022-23027

F5 BIG-IP is vulnerable to a denial of service, caused by a flaw when a FastL4 profile and an HTTP, FIX, and/or hash persistence profile are configured on the same virtual server. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the virtual server to stop processing new client connections.

CVE-2022-23022

F5 BIG-IP is vulnerable to a denial of service, caused by a flaw when an HTTP profile is configured on a virtual server. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the Traffic Management Microkernel (TMM) to terminate.

CVE-2022-23011

F5 BIG-IP is vulnerable to a denial of service, caused by an issue in the SYN Cookie Protection feature. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.

CVE-2022-23008

F5 NGINX Controller API Management could allow a remote authenticated attacker to execute arbitrary code on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to inject JavaScript code that is executed on managed NGINX data plane instances.

CVE-2022-23009

F5 BIG-IQ Centralized Management could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain access to all BIG-IP devices managed by the same BIG-IQ system.

CVE-2022-23010

F5 BIG-IP is vulnerable to a denial of service, caused by a flaw when a FastL4 profile and an HTTP profile are configured on a virtual server. By sending a specially-crafted request, an attacker could exploit this vulnerability to cause an increase in memory resource utilization.

Impact

Denial of Service
Information Disclosure
Security Bypass

Affected Vendors

Affected Products

F5 BIG-IP (AFM) 15.1.0
F5 BIG-IP (AFM) 14.1.0
F5 BIG-IP (AFM) 13.1.0
F5 BIG-IP (AFM) 15.1.4
F5 BIG-IP 11.6.1
F5 BIG-IP 12.1.0
F5 BIG-IP 13.1.0
F5 BIG-IP 14.1.0
F5 BIG-IP 15.1.0
F5 BIG-IP 14.1.4
F5 BIG-IP (APM) 12.1.0
F5 BIG-IP (APM) 14.1.0
F5 BIG-IP (APM) 15.0.0
F5 BIG-IP (APM) 13.1.0
F5 BIG-IP 12.1.5
F5 BIG-IQ Centralized Management 7.0.0
F5 NGINX Controller API Management 3.18.0
F5 NGINX Controller API Management 3.19.0
F5 BIG-IQ Centralized Management 8.0.0

Remediation

Refer to F5 Security Advisory for patch, upgrade, or suggested workaround information.

https://support.f5.com/csp/article/K34360320

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

CVE-2024-28073 – SolarWinds Serv-U Vulnerability

GuLoader Malspam Campaign – Active IOCs

CVE-2024-31869 – Apache Airflow Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us