CVE-2022-25946

Q: What is the severity of CVE-2022-25946?

CVE-2022-25946 has a CVSS score of 8.7 (HIGH). This vulnerability allows authenticated administrators on F5 BIG-IP systems running in Appliance mode to bypass security restrictions due to a missing integrity check in Guided Configuration. It affects multiple BIG-IP products including Advanced WAF, ASM, and Guided Configuration across numerous versions. Attackers with administrative privileges can potentially escape the intended security boundaries of Appliance mode.

8.7 HIGH

Authentication Bypass

📋 TL;DR

This vulnerability allows authenticated administrators on F5 BIG-IP systems running in Appliance mode to bypass security restrictions due to a missing integrity check in Guided Configuration. It affects multiple BIG-IP products including Advanced WAF, ASM, and Guided Configuration across numerous versions. Attackers with administrative privileges can potentially escape the intended security boundaries of Appliance mode.

💻 Affected Systems

Products:

F5 BIG-IP Advanced WAF
F5 BIG-IP ASM
F5 BIG-IP Guided Configuration

Versions: BIG-IP: 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, 11.6.x; Guided Configuration: all versions prior to 9.0

Operating Systems: F5 TMOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems running in Appliance mode. Software versions which have reached End of Technical Support (EoTS) are not evaluated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker with Administrator privileges could completely bypass Appliance mode restrictions, potentially gaining unauthorized access to underlying system components, modifying configurations, or accessing data that should be isolated.

🟠

Likely Case

Malicious administrators or compromised admin accounts could bypass security controls to perform unauthorized actions within the system, potentially leading to configuration changes, data access, or privilege escalation.

🟢

If Mitigated

With proper access controls and monitoring, the impact is limited to authorized administrators who would need to intentionally exploit the vulnerability, allowing for detection and response.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated Administrator role access. The vulnerability is in the integrity check mechanism, making exploitation straightforward for authorized attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Guided Configuration 9.0 or later; BIG-IP versions with patches as specified in K52322100

Vendor Advisory: https://support.f5.com/csp/article/K52322100

Restart Required: Yes

Instructions:

1. Review K52322100 advisory for specific patch versions. 2. Download appropriate patches from F5 Downloads. 3. Apply patches following F5 upgrade procedures. 4. Restart affected services or systems as required.

🔧 Temporary Workarounds

Restrict Administrator Access

all

Limit administrative access to only trusted personnel and implement strict access controls for Administrator roles.

Disable Guided Configuration if Unused

all

If Guided Configuration is not required for operations, consider disabling it to remove the attack surface.

🧯 If You Can't Patch

Implement strict monitoring and logging of all administrative actions, especially those involving Guided Configuration
Apply principle of least privilege to Administrator accounts and implement multi-factor authentication

🔍 How to Verify

Check if Vulnerable:

Check BIG-IP version with 'tmsh show sys version' and Guided Configuration version via management interface. Compare against affected versions listed in K52322100.

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify BIG-IP is running patched version and Guided Configuration is 9.0 or later. Confirm Appliance mode restrictions are properly enforced.

📡 Detection & Monitoring

Log Indicators:

Unusual administrative activity in Guided Configuration logs
Attempts to modify Appliance mode settings
Authentication events from unexpected Administrator accounts

Network Indicators:

Unusual administrative traffic patterns to Guided Configuration services

SIEM Query:

source="bigip" AND (event_type="admin_activity" OR user_role="Administrator") AND (process="guided_config" OR action="bypass*")

📊 Metadata

CVE ID: CVE-2022-25946

CVSS v3 Score: 8.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-354

Published: May 5, 2022

Last Updated: November 21, 2024

🔗 References

https://support.f5.com/csp/article/K52322100 Vendor Advisory
https://support.f5.com/csp/article/K52322100 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Guided Configuration by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Administrator Access

Disable Guided Configuration if Unused

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References