F5 BIG-IP Remote Command Execution Vulnerability (CVE-2022-1388)

Description

FortiGuard Labs is aware of a new remote command execution vulnerability affecting F5 BIG-IP clients. Exploiting this vulnerability will allow an attacker to completely take over an affected device.


What are the Technical Details of this Vulnerability?

According to the F5 security advisory, this vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.


Because this vulnerability does not require any sophistication to exploit, and the fact that in-the-wild exploitation are reported to have been observed and proof-of-concept (PoC) codes are publicly available, it is highly recommended that organizations affected by this latest vulnerability apply all patches immediately.


What Versions Are Affected?

Reported versions affected by CVE-2022-1388 are:

BIG-IP versions 16.1.2 through 13.1.0 (versions under 13.1.0 are affected but will not be fixed)


How Serious of an Issue is This?

HIGH. CVE-2022-1388 has a CVSS score of 9.8. US-CERT (CISA) has also issued an alert for this issue. For further information, please refer to F5 Releases Security Advisories Addressing Multiple Vulnerabilities in the APPENDIX.


How Widespread is this Attack?

Global. Malicious scans by attackers are currently underway looking for vulnerable unpatched appliances, regardless of location. Proof-of-concept codes (POC) are available and the vulnerability is reported to have been actively exploited in the wild.


What is the Status of Coverage?

Customers running current (IPS) definitions are protected by:


F5.BIG-IP.iControl.REST.Authentication.Bypass


FortiGuard Labs is continuously monitoring this vulnerability and we will update this Threat Signal once more information becomes available.


Are There Any Reports of Nation State Activity Actively Exploiting CVE-2022-1388?

Yes, the vulnerability is reported to have been actively exploited in the wild.


Any Other Suggested Mitigation?

According to F5, it is recommended to apply all available patches from the May 2022 update immediately. If patching is not possible at this time, F5 recommends blocking all access to the iControl REST interface of your BIG-IP system through self IP addresses. Mitigation details can be found in the article titled - "K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388" in the APPENDIX section.


The potential for damage to daily operations, reputation, and unwanted release of data, the disruption of business operations, etc. is apparent, and because of this it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed once available, and updated on a regular basis to protect against attackers establishing a foothold within a network.

Telemetry