F5 Big-IP - rsync Access

EDB-ID:

34465




Platform:

Hardware

Date:

2014-08-29


When configured in a high availability mode, the F5 solution suffers from an unauthenticated rsync access vulnerability that can be leveraged to upload a malicious SSH key and gain remote root access to the appliance.
The BigIP platform configures an rsync daemon listening on the ConfigSync interfaces when the system is configured in a failover mode. The rsync daemon as currently configured does not require any authentication and the “cmi” module has complete read/write access to the system. If the ConfigSync IP addresses are accessible by a malicious third party, it is possible to upload an authorized_keys file directly into the /var/ssh/root directory and then open a root SSH session on the f5 device.

Advisory: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/34465.pdf