F5 Big-IP - rsync Access







When configured in a high availability mode, the F5 solution suffers from an unauthenticated rsync access vulnerability that can be leveraged to upload a malicious SSH key and gain remote root access to the appliance.
The BigIP platform configures an rsync daemon listening on the ConfigSync interfaces when the system is configured in a failover mode. The rsync daemon as currently configured does not require any authentication and the “cmi” module has complete read/write access to the system. If the ConfigSync IP addresses are accessible by a malicious third party, it is possible to upload an authorized_keys file directly into the /var/ssh/root directory and then open a root SSH session on the f5 device.

Advisory: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/34465.pdf