F5’s BIG-IP is a family of products covering software and hardware designed around application availability, access control, and security solutions.
A critical CVE (CVSS 9.8/10) has come into light that is also being actively exploited in the wild. This vulnerability resides in iControl REST functionality in F5 systems which can result in authentication bypass and can lead to remote code execution, allowing an attacker to gain initial access and take control of an affected system and practically perform any action the attacker wants to.
These exploits also may lead to dropping web shells for maintaining persistence and launching attacks in future and can be used to detonate ransomware attack as well.
On May 4, 2022, F5 released patches to contain 43 bugs spanning its products. Out of the 43 vulnerabilities addressed, one was rated critical which is the one being exploited in the wild right now, CVE-2022-1388.
Fortunately, in this case the patch to the vulnerability is publicly available and it’s not a zero-day vulnerability.
Please note that the time window between the vulnerability discovery and exploit by threat actors is reducing with every passing year. In the current F5 Big-IP vulnerability, security researchers have observed mass scanning activity has started to occur on the internet to identify management interfaces that are exposed to the internet.
According to F5 official Security Advisory, the impact of vulnerabilities in your environment can be ascertained by referring the below table:
Impact of this vulnerability:
According to the information available publicly, we can find there over 23,486 exposed Big-IP interfaces on the internet which makes it a candidate for an urgent fix before it has a snowballing effect in the digital environment.
- Deploy the patches and fixes from the latest security advisory issued by F5 as soon as possible to reduce your attack surface
Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.
- Block iControl REST access through the self IP address
- Block iControl REST access through the management interface
- Modify the BIG-IP httpd configuration
Please refer to https://support.f5.com/csp/article/K23605346 for detailed guidance on the recommendation and mitigation measures.
Please get in touch with your BreachLock representative if you need help detecting, remediating, or mitigating this vulnerability.