[ad_1]
F5 has issued a security advisory about a flaw that may allow unauthenticated attackers with network access to execute arbitrary system commands, perform file actions, and disable services on BIG-IP.
The vulnerability is tracked as CVE-2022-1388 and has a CVSS v3 severity rating of 9.8, categorized as critical. Their exploitation can potentially lead to a complete takeover of the system.
According to the F5 security advisory, the flaw is in the iControl REST component and allows a malicious actor to send undisclosed requests to bypass iControl REST authentication on BIG-IP.
Due to the severity of the vulnerability and the widespread deployment of BIG-IP products in critical environments, CISA (Cybersecurity and Infrastructure Security Agency) has also issued an alert today.
The full list of affected products is shown below:
- BIG-IP versions 16.1.0 to 16.1.2
- BIG-IP versions 15.1.0 to 15.1.5
- BIG-IP versions 14.1.0 to 14.1.4
- BIG-IP versions 13.1.0 to 13.1.4
- BIG-IP versions 12.1.0 to 12.1.6
- BIG-IP versions 11.6.1 to 11.6.5
F5 has introduced fixes in v17.0.0, v16.1.2.2, v15.1.5.1, v14.1.4.6, and v13.1.5. The 12.x and 11.x branches will not receive a fix patch.
Additionally, the advisory clarifies that BIG-IQ Centralized Management, F5OS-A, F5OS-C, and Traffic SDC are not affected by CVE-2022-1388.
F5 has provided the following three effective mitigations that can be used temporarily for those who are unable to apply security updates immediately.
Block all access to your BIG-IP system’s iControl REST interface through your own IP addresses, restrict access to only trusted users and devices through the management interface, or modify the BIG-IP httpd configuration.
F5 provided full details on how to do this in the advisory, but some methods, such as blocking access entirely, can impact services, including disrupting high availability (HA) configurations. As such, applying security updates is still the recommended way to go, if possible.
Finally, F5 has released a more generic advisory to cover an additional set of 17 high-severity vulnerabilities discovered and fixed in BIG-IP, so be sure to check that out as well.
16,000+ exposed BIG-IP devices
With F5 BIG-IP devices commonly used in the enterprise, this vulnerability presents a significant risk in allowing threat actors to gain initial access to corporate networks.
To make matters worse, instead of the company adequately protecting BIG-IP devices, security researcher Nate Warfield has seen the number of publicly exposed devices rise significantly since 2020.
https://t.co/80tShneNwK – When CVE-2020-5902 dropped, there were ~10k F5 management interfaces exposed online.
Today there are 16k (https://t.co/2JPkVZwH5X is the @shodanhq query i use)
Shodan trend data would imply that no one learned to block these things pic.twitter.com/yC1oEbEZk9
– Nate Warfield | #StandWithUkraine (@n0x08) May 4, 2022
Using the query shared by Warfield, Shodan shows that there are currently 16,142 F5 BIG-IP devices publicly exposed to the Internet. The majority of these devices are in the US, followed by China, India, Australia, and Japan.
Security researchers have already started narrowing down the location of the vulnerability, and it wouldn’t be surprising to see threat actors start looking for vulnerable devices soon.
Therefore, network administrators should patch these devices as soon as possible or at least apply the provided mitigations.
[ad_2]
