Active Exploitation of F5 BIG-IP iControl REST CVE-2022-1388

Last updated at Mon, 09 May 2022 17:57:00 GMT

On May 4, 2022, F5 released an advisory listing several vulnerabilities, including CVE-2022-1388, a critical authentication bypass that leads to remote code execution in iControl REST with a CVSSv3 base score of 9.8.

The vulnerability affects several different versions of BIG-IP prior to 17.0.0, including:

• F5 BIG-IP 16.1.0 - 16.1.2 (patched in 16.1.2.2)
• F5 BIG-IP 15.1.0 - 15.1.5 (patched in 15.1.5.1)
• F5 BIG-IP 14.1.0 - 14.1.4 (patched in 14.1.4.6)
• F5 BIG-IP 13.1.0 - 13.1.4 (patched in 13.1.5)
• F5 BIG-IP 12.1.0 - 12.1.6 (no patch available, will not fix)
• F5 BIG-IP 11.6.1 - 11.6.5 (no patch available, will not fix)

On Monday, May 9, 2022, Horizon3 released a full proof of concept, which we successfully executed to get a root shell. Other groups have developed exploits as well.

Over the past few days, BinaryEdge has detected an increase in scanning and exploitation for F5 BIG-IP. Others on Twitter have also observed exploitation attempts. Due to the ease of exploiting this vulnerability, the public exploit code, and the fact that it provides root access, exploitation attempts are likely to increase.

Widespread exploitation is somewhat mitigated by the small number of internet-facing F5 BIG-IP devices, however; our best guess is that there are only about 2,500 targets on the internet.

Mitigation guidance

F5 customers should patch their BIG-IP devices as quickly as possible using F5's upgrade instructions. Additionally, the management port for F5 BIG-IP devices (and any similar appliance) should be tightly controlled at the network level — only authorized users should be able to reach the management interface at all.

F5 also provides a workaround as part of their advisory. If patching and network segmentation are not possible, the workaround should prevent exploitation. We always advise patching rather than relying solely on workarounds.

Exploit attempts appear in at least two different log files:

• /var/log/audit
• /var/log/restjavad-audit.0.log

Because this vulnerability is a root compromise, successful exploitation may be very difficult to recover from. At a minimum, affected BIG-IP devices should be rebuilt from scratch, and certificates and passwords should be rotated.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2022-1388 with an authenticated vulnerability check in the May 5, 2022 content release. This release also includes authenticated vulnerability checks for additional CVEs in F5's May 2022 security advisory.

Additional reading:

• Widespread Exploitation of VMware Workspace ONE Access CVE-2022-22954
• Opportunistic Exploitation of WSO2 CVE-2022-29464
• Spring4Shell: Zero-Day Vulnerability in Spring Framework (CVE-2022-22965)
• CVE-2022-0847: Arbitrary File Overwrite Vulnerability in Linux Kernel