The “file” parameter of the “save” command is vulnerable to a command injection attack, allowing an authenticated attacker with administrator privileges to the “/mgmt” web API or the SSH “tmsh” shell, to obtain remote code execution as the “root” user on the target system.
Note: This finding is only considered a vulnerability when BIG-IP is run in Appliance mode as this may allow an authenticated attacker with administrator role to bypass the Appliance mode security that would otherwise prevent the execution of arbitrary Advanced Shell (bash) commands.
The vendor's disclosure and fix for this vulnerability can be found here.
This vulnerability requires:
- Valid user credentials
- The capability to send requests to the iControl REST component and/or the capability to execute tmsh commands
More details and the exploitation process can be found in this PDF.