CVE-2022-41622 Overview
CVE-2022-41622 is a cross-site request forgery (CSRF) vulnerability affecting F5 BIG-IP and BIG-IQ products through the iControl SOAP interface. This vulnerability allows attackers to trick authenticated administrators into performing unintended actions on vulnerable systems by exploiting the lack of proper CSRF protections in the iControl SOAP API.
The vulnerability affects all versions of BIG-IP and BIG-IQ that have not reached End of Technical Support (EoTS), making it a widespread concern for organizations relying on F5's application delivery and security infrastructure. Successful exploitation requires user interaction, where an authenticated administrator must visit a malicious webpage or click a crafted link while logged into the management interface.
Critical Impact
Attackers can leverage this CSRF vulnerability to execute administrative actions on BIG-IP/BIG-IQ systems with the privileges of the authenticated victim, potentially leading to complete system compromise, configuration manipulation, or service disruption.
Affected Products
- F5 BIG-IP Local Traffic Manager (all supported versions including 17.0.0)
- F5 BIG-IP Application Security Manager (all supported versions including 17.0.0)
- F5 BIG-IP Advanced Firewall Manager (all supported versions including 17.0.0)
- F5 BIG-IP Access Policy Manager (all supported versions including 17.0.0)
- F5 BIG-IP Analytics (all supported versions including 17.0.0)
- F5 BIG-IP Domain Name System (all supported versions including 17.0.0)
- F5 BIG-IP Fraud Protection Service (all supported versions including 17.0.0)
- F5 BIG-IP Global Traffic Manager (all supported versions including 17.0.0)
- F5 BIG-IP Link Controller (all supported versions including 17.0.0)
- F5 BIG-IP Policy Enforcement Manager (all supported versions including 17.0.0)
- F5 BIG-IP Application Acceleration Manager (all supported versions including 17.0.0)
- F5 BIG-IQ Centralized Management (all supported versions including 7.1.0)
Discovery Timeline
- December 7, 2022 - CVE-2022-41622 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-41622
Vulnerability Analysis
This vulnerability exists in the iControl SOAP interface, which is a management API used for programmatic control of BIG-IP and BIG-IQ devices. The iControl SOAP endpoint fails to implement adequate CSRF protections, allowing attackers to craft malicious requests that execute in the context of an authenticated administrator's session.
When an administrator with an active session to the BIG-IP or BIG-IQ management interface visits a malicious webpage, the attacker-controlled page can issue SOAP requests to the iControl interface. Since the browser automatically includes session cookies with these requests and the server does not validate anti-CSRF tokens, the requests are processed as legitimate administrative commands.
The attack requires network accessibility to the management interface, which is typically restricted to internal networks or management VLANs. However, if an administrator browses external websites while authenticated to the management console, the attack becomes viable from the internet.
Root Cause
The root cause of CVE-2022-41622 is the absence of anti-CSRF token validation in the iControl SOAP interface (CWE-352). The iControl SOAP API relies solely on session-based authentication without implementing same-origin policy enforcement mechanisms or requiring unpredictable tokens in state-changing requests.
This design flaw means that any authenticated request originating from any source—legitimate management tools or attacker-controlled webpages—will be processed equally if valid session credentials are present in the browser.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker would typically craft a malicious webpage containing hidden forms or JavaScript that generate SOAP requests to the target BIG-IP/BIG-IQ management interface. The attack sequence proceeds as follows:
The attacker first identifies the target organization's BIG-IP/BIG-IQ management interface IP address or hostname. They then craft a webpage containing malicious SOAP requests targeting administrative functions such as user management, configuration changes, or system commands.
The attacker delivers the malicious page to an administrator through phishing, watering hole attacks, or compromised websites. When the administrator visits this page while authenticated to the management interface, the browser executes the SOAP requests with the administrator's session cookies, and the BIG-IP/BIG-IQ system processes these requests as legitimate administrative actions.
Exploitation could enable attackers to create new administrative accounts, modify system configurations, disable security policies, or perform other privileged operations depending on the victim's access level.
Detection Methods for CVE-2022-41622
Indicators of Compromise
- Unexpected administrative user accounts created on BIG-IP/BIG-IQ systems
- Configuration changes that administrators do not recall making
- Unusual iControl SOAP API requests originating from unexpected source IP addresses
- Web server logs showing SOAP requests with referrer headers from external domains
Detection Strategies
- Monitor iControl SOAP API access logs for requests with external or suspicious HTTP referrer headers
- Implement SIEM rules to detect administrative actions occurring shortly after administrators browse external websites
- Review BIG-IP/BIG-IQ audit logs for configuration changes made outside normal maintenance windows
- Deploy network monitoring to detect iControl SOAP traffic originating from unexpected client IP addresses
Monitoring Recommendations
- Enable comprehensive audit logging on all BIG-IP and BIG-IQ management interfaces
- Configure alerts for sensitive administrative operations such as user creation, configuration export, or system command execution
- Implement user behavior analytics to identify anomalous administrative activity patterns
- Regularly review management interface access logs for suspicious request patterns
How to Mitigate CVE-2022-41622
Immediate Actions Required
- Review the F5 Security Advisory K94221585 for vendor-specific guidance and available fixes
- Restrict iControl SOAP interface access to trusted management networks only
- Ensure administrators do not browse untrusted websites while authenticated to BIG-IP/BIG-IQ management interfaces
- Implement browser isolation for administrators accessing external web content
- Consider disabling iControl SOAP if not required for operations
Patch Information
F5 has published detailed remediation guidance in Security Advisory K94221585. Organizations should consult this advisory to identify specific hotfixes, patches, or version upgrades applicable to their deployment.
Given the broad scope of affected products and versions, administrators should verify their specific BIG-IP and BIG-IQ versions against F5's advisory to determine the appropriate remediation path. Ensure all systems are updated to versions that include CSRF protections for the iControl SOAP interface.
Workarounds
- Restrict management interface access to dedicated management workstations that do not access untrusted web content
- Implement network-level controls to ensure iControl SOAP is only accessible from explicitly authorized IP addresses
- Use dedicated browser profiles or virtual machines for BIG-IP/BIG-IQ administration, keeping them isolated from general web browsing
- Deploy web application firewalls or reverse proxies in front of management interfaces to add request validation
# Example: Restrict management interface access using BIG-IP TMSH
# Allow management access only from specific trusted networks
tmsh modify sys httpd allow { 10.0.0.0/8 192.168.1.0/24 }
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
