Flash Notice: [CVE-2022-1388] Critical Remote Code Execution Vulnerability Found in F5's BIG-IP Systems

May 9, 2022

Overview of cve-2022-1388

A critical vulnerability was found in F5’s BIG-IP systems last week and is now being exploited in the wild. F5 is a leading application service provider and BIG-IP is a combination of software and hardware designed to protect apps and networks against attacks. The company released patches for 43 vulnerabilities, but the most emergent vulnerability is CVE-2022-1388, which was given a CVSS score of 9.8.

CVE-2022-1388 is a lack of authentication check vulnerability that could allow an attacker to take control of an affected system. According to F5, a threat actor could obtain unauthenticated network access to BIG-IP systems through the management port and/or self IP addresses. Customers use self-IP addresses on BIG-IP systems to associate with VLAN. Unauthorized network access could allow the threat actor to execute arbitrary system commands, create or delete files, and disable services. The issue is a control plane issue and does not expose data.

The following BIG-IP products are affected by CVE-2022-1388:

16.1.0 - 16.1.2
15.1.0 - 15.1.5
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6

11.6.1 - 11.6.5

While F5 has patches for versions v17.0.0, v16.1.2.2, v15.1.5.1, v14.1.4.6, and v13.1.5, they will not release a patch for versions 11.x (11.6.1 – 11.6.5) and 12.x (12.1.0 – 12.1.6). CVE-2022-1388 does not impact other F5 products such as BIG-IQ Centralized Management, F5OS-C, Traffic SDC, or F5OS-A.

Over the weekend, analysts developed a working exploit for CVE-2022-1388 and shared evidence of successful exploitation attempts. Because BIG-IP devices are commonly used by enterprises, there is a significant risk of exposure to attacks. Most of the devices are located in India, Australia, U.S., and China. If you are not able to immediately apply the security patches, please follow F5’s temporary mitigations.

How Avertium is Protecting Our Customers:

Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident.
Implement XDR as a prevention method. Our XDR is a combination of monitoring software like LogRhythm, Microsoft Azure Sentinel, or AlienVault, combined with endpoint protection such as SentinelOne. XDR platforms enable cybersecurity through a technology focus by collecting, correlating, and analyzing event data from any source on the network. This includes endpoints, applications, network devices, and user interactions.
MDR provides an in-depth investigation into potential threats on an organization’s network. Avertium’s risk-based approach to managed security delivers the right combination of technology, field-validated threat intelligence, and resource empowerment to reduce complexity, streamline operations, and enhance cybersecurity resilience. If you need a more advanced security solution, MDR is the next step. MDR is an outsourced security control solution that includes the elements of EDR, enhanced with a range of fundamental security processes.

Avertium's recommendations

Please patch your BIG-IP devices as soon as possible.
If you cannot patch your device, please follow the following temporary mitigations below:
Block iControl REST access through the self IP address
Block iControl REST access through the management interface
Modify the BIG-IP httpd configuration
Log all iControl REST API requests. Please follow the instructions found here.

INDICATOR'S OF COMPROMISE (IOCS):

At this time, there are no known IoCs associated with CVE-2022-1388. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.