Think you have a false positive on this rule?

Sid 1-36778

Message

SERVER-WEBAPP F5 BIG-IP iControl API arbitrary command execution attempt

Summary

This event is generated when an attempt to execute commands via the iControl API is detected.

Impact

Attempted Administrator Privilege Gain

CVE-2015-3628:

CVSS base score 9.0

CVSS impact score 10.0

CVSS exploitability score 8.0

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Detailed information

CVE-2015-3628: The iControl API in F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Controller, and PEM 11.3.0 before 11.5.3 HF2 and 11.6.0 before 11.6.0 HF6, BIG-IP AAM 11.4.0 before 11.5.3 HF2 and 11.6.0 before 11.6.0 HF6, BIG-IP Edge Gateway, WebAccelerator, and WOM 11.3.0, BIG-IP GTM 11.3.0 before 11.6.0 HF6, BIG-IP PSM 11.3.0 through 11.4.1, Enterprise Manager 3.1.0 through 3.1.1, BIG-IQ Cloud and Security 4.0.0 through 4.5.0, BIG-IQ Device 4.2.0 through 4.5.0, and BIG-IQ ADC 4.5.0 allows remote authenticated users with the "Resource Administrator" role to gain privileges via an iCall (1) script or (2) handler in a SOAP request to iControl/iControlPortal.cgi.

Affected systems

  • f5 big-ipaccesspolicy_manager 11.3.0
  • f5 big-ipaccesspolicy_manager 11.4.0
  • f5 big-ipaccesspolicy_manager 11.4.1
  • f5 big-ipaccesspolicy_manager 11.5.0
  • f5 big-ipaccesspolicy_manager 11.5.1
  • f5 big-ipaccesspolicy_manager 11.5.2
  • f5 big-ipaccesspolicy_manager 11.5.3
  • f5 big-ipaccesspolicy_manager 11.6.0
  • f5 big-ipadvancedfirewall_manager 11.3.0
  • f5 big-ipadvancedfirewall_manager 11.4.0
  • f5 big-ipadvancedfirewall_manager 11.4.1
  • f5 big-ipadvancedfirewall_manager 11.5.0
  • f5 big-ipadvancedfirewall_manager 11.5.1
  • f5 big-ipadvancedfirewall_manager 11.5.2
  • f5 big-ipadvancedfirewall_manager 11.5.3
  • f5 big-ipadvancedfirewall_manager 11.6.0
  • f5 big-ip_analytics 11.3.0
  • f5 big-ip_analytics 11.4.0
  • f5 big-ip_analytics 11.4.1
  • f5 big-ip_analytics 11.5.0
  • f5 big-ip_analytics 11.5.1
  • f5 big-ip_analytics 11.5.2
  • f5 big-ip_analytics 11.5.3
  • f5 big-ip_analytics 11.6.0
  • f5 big-ipapplicationacceleration_manager 11.4.0
  • f5 big-ipapplicationacceleration_manager 11.4.1
  • f5 big-ipapplicationacceleration_manager 11.5.0
  • f5 big-ipapplicationacceleration_manager 11.5.1
  • f5 big-ipapplicationacceleration_manager 11.5.2
  • f5 big-ipapplicationacceleration_manager 11.5.3
  • f5 big-ipapplicationacceleration_manager 11.6.0
  • f5 big-ipapplicationsecurity_manager 11.3.0
  • f5 big-ipapplicationsecurity_manager 11.4.0
  • f5 big-ipapplicationsecurity_manager 11.4.1
  • f5 big-ipapplicationsecurity_manager 11.5.0
  • f5 big-ipapplicationsecurity_manager 11.5.1
  • f5 big-ipapplicationsecurity_manager 11.5.2
  • f5 big-ipapplicationsecurity_manager 11.5.3
  • f5 big-ipapplicationsecurity_manager 11.6.0
  • f5 big-ipedgegateway 11.3.0
  • f5 big-ipenterprisemanager 3.0.0
  • f5 big-ipenterprisemanager 3.1.0
  • f5 big-ipenterprisemanager 3.1.1
  • f5 big-ipglobaltraffic_manager 11.3.0
  • f5 big-ipglobaltraffic_manager 11.4.0
  • f5 big-ipglobaltraffic_manager 11.4.1
  • f5 big-ipglobaltraffic_manager 11.5.0
  • f5 big-ipglobaltraffic_manager 11.5.1
  • f5 big-ipglobaltraffic_manager 11.5.2
  • f5 big-ipglobaltraffic_manager 11.5.3
  • f5 big-ipglobaltraffic_manager 11.6.0
  • f5 big-iplinkcontroller 11.3.0
  • f5 big-iplinkcontroller 11.4.0
  • f5 big-iplinkcontroller 11.4.1
  • f5 big-iplinkcontroller 11.5.0
  • f5 big-iplinkcontroller 11.5.1
  • f5 big-iplinkcontroller 11.5.2
  • f5 big-iplinkcontroller 11.5.3
  • f5 big-iplinkcontroller 11.6.0
  • f5 big-iplocaltraffic_manager 11.3.0
  • f5 big-iplocaltraffic_manager 11.4.0
  • f5 big-iplocaltraffic_manager 11.4.1
  • f5 big-iplocaltraffic_manager 11.5.0
  • f5 big-iplocaltraffic_manager 11.5.1
  • f5 big-iplocaltraffic_manager 11.5.2
  • f5 big-iplocaltraffic_manager 11.5.3
  • f5 big-iplocaltraffic_manager 11.6.0
  • f5 big-ippolicyenforcement_manager 11.3.0
  • f5 big-ippolicyenforcement_manager 11.4.0
  • f5 big-ippolicyenforcement_manager 11.4.1
  • f5 big-ippolicyenforcement_manager 11.5.0
  • f5 big-ippolicyenforcement_manager 11.5.1
  • f5 big-ippolicyenforcement_manager 11.5.2
  • f5 big-ippolicyenforcement_manager 11.5.3
  • f5 big-ippolicyenforcement_manager 11.6.0
  • f5 big-ipwanoptimization_manager 11.3.0
  • f5 big-ip_webaccelerator 11.3.0
  • f5 big-iq_adc 4.5.0
  • f5 big-iq_cloud 4.0.0
  • f5 big-iq_cloud 4.1.0
  • f5 big-iq_cloud 4.2.0
  • f5 big-iq_cloud 4.3.0
  • f5 big-iq_cloud 4.4.0
  • f5 big-iq_cloud 4.5.0
  • f5 big-iq_device 4.2.0
  • f5 big-iq_device 4.3.0
  • f5 big-iq_device 4.4.0
  • f5 big-iq_device 4.5.0
  • f5 big-iq_security 4.0.0
  • f5 big-iq_security 4.1.0
  • f5 big-iq_security 4.2.0
  • f5 big-iq_security 4.3.0
  • f5 big-iq_security 4.4.0
  • f5 big-iq_security 4.5.0
  • f5 big-ipprotocolsecurity_manager 11.3.0
  • f5 big-ipprotocolsecurity_manager 11.4.0
  • f5 big-ipprotocolsecurity_manager 11.4.1

Ease of attack

CVE-2015-3628:

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

False positives

None Known

False negatives

None Known

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • support.f5.com/kb/en-us/solutions/public/16000/700/sol16728.html