Last updated at Mon, 09 May 2022 17:57:00 GMT
On May 4, 2022, F5 released an advisory listing several vulnerabilities, including CVE-2022-1388, a critical authentication bypass that leads to remote code execution in iControl REST with a CVSSv3 base score of 9.8.
The vulnerability affects several different versions of BIG-IP prior to 17.0.0, including:
- F5 BIG-IP 16.1.0 - 16.1.2 (patched in 18.104.22.168)
- F5 BIG-IP 15.1.0 - 15.1.5 (patched in 22.214.171.124)
- F5 BIG-IP 14.1.0 - 14.1.4 (patched in 126.96.36.199)
- F5 BIG-IP 13.1.0 - 13.1.4 (patched in 13.1.5)
- F5 BIG-IP 12.1.0 - 12.1.6 (no patch available, will not fix)
- F5 BIG-IP 11.6.1 - 11.6.5 (no patch available, will not fix)
Over the past few days, BinaryEdge has detected an increase in scanning and exploitation for F5 BIG-IP. Others on Twitter have also observed exploitation attempts. Due to the ease of exploiting this vulnerability, the public exploit code, and the fact that it provides root access, exploitation attempts are likely to increase.
Widespread exploitation is somewhat mitigated by the small number of internet-facing F5 BIG-IP devices, however; our best guess is that there are only about 2,500 targets on the internet.
F5 customers should patch their BIG-IP devices as quickly as possible using F5's upgrade instructions. Additionally, the management port for F5 BIG-IP devices (and any similar appliance) should be tightly controlled at the network level — only authorized users should be able to reach the management interface at all.
F5 also provides a workaround as part of their advisory. If patching and network segmentation are not possible, the workaround should prevent exploitation. We always advise patching rather than relying solely on workarounds.
Exploit attempts appear in at least two different log files:
Because this vulnerability is a root compromise, successful exploitation may be very difficult to recover from. At a minimum, affected BIG-IP devices should be rebuilt from scratch, and certificates and passwords should be rotated.
InsightVM and Nexpose customers can assess their exposure to CVE-2022-1388 with an authenticated vulnerability check in the May 5, 2022 content release. This release also includes authenticated vulnerability checks for additional CVEs in F5's May 2022 security advisory.