CVE-2014-3220
published 2014-05-05CVE-2014-3220: F5 BIG-IQ Cloud and Security 4.0.0 through 4.1.0 allows remote authenticated users to change the password of arbitrary users via the name parameter in a…
PriorityP355critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
11.00%
95.3th percentile
F5 BIG-IQ Cloud and Security 4.0.0 through 4.1.0 allows remote authenticated users to change the password of arbitrary users via the name parameter in a request to the user's page in mgmt/shared/authz/users/.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| f5 | big-iq | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP PUT requests to /mgmt/shared/authz/users/ where the JSON body 'name' field differs from the authenticated user in the URI path — this indicates privilege escalation via user spoofing. ↗
- →Alert on HTTP PUT requests to /mgmt/shared/authz/users/root from non-root authenticated sessions, indicating an attempt to change the root password. ↗
- →Monitor for POST authentication to /ui/actions/logmein.html followed immediately by PUT requests to /mgmt/shared/authz/users/ — this two-step sequence is the exploit's attack pattern. ↗
- →Detect JSON PUT body containing 'kind':'shared:authz:users:usersworkerstate' with a 'name' field set to 'root' or another privileged user, especially when the selfLink user differs from the URI user. ↗
- →Watch for repeated PUT requests to the same /mgmt/shared/authz/users/ endpoint with incrementing 'generation' values in the JSON body — this is the exploit's generation-correction retry loop. ↗
- →After exploitation, monitor for new SSH (port 22) sessions to the BIG-IQ device originating from the same source IP that performed the /mgmt/shared/authz/users/ PUT requests. ↗
- ·The exploit requires valid credentials for an existing (non-root) account on the BIG-IQ device; unauthenticated exploitation is not possible. ↗
- ·The Metasploit module targets BIG-IQ version 4.1.0.2013.0 specifically; the NVD advisory covers the broader range 4.0.0 through 4.1.0. ↗
- ·SSL must be enabled on the target (port 443); the module defaults to SSL:true and RPORT 443. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2014/May/10http://seclists.org/fulldisclosure/2014/May/11http://seclists.org/fulldisclosure/2014/May/16http://secunia.com/advisories/58440http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15229.htmlhttp://volatile-minds.blogspot.com/2014/05/f5-big-iq-v41020130-authenticated.htmlhttp://www.exploit-db.com/exploits/33143http://www.securityfocus.com/bid/67191http://www.securityfocus.com/bid/67227https://gist.github.com/brandonprry/2e73acd63094fa2a4f63http://seclists.org/fulldisclosure/2014/May/10http://seclists.org/fulldisclosure/2014/May/11http://seclists.org/fulldisclosure/2014/May/16http://secunia.com/advisories/58440http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15229.htmlhttp://volatile-minds.blogspot.com/2014/05/f5-big-iq-v41020130-authenticated.htmlhttp://www.exploit-db.com/exploits/33143http://www.securityfocus.com/bid/67191http://www.securityfocus.com/bid/67227https://gist.github.com/brandonprry/2e73acd63094fa2a4f63
2014-05-05
Published