[ad_1]
Threat actors have begun massively exploiting the critical vulnerability tracked as CVE-2022-1388, which affects multiple versions of all F5 BIG-IP modules, to launch malicious payloads.
Last week, F5 released patches for the security issue (severity rating 9.8), which affects the BIG-IP iControl REST authentication component.
The company warned that the vulnerability allows an unauthenticated attacker on the BIG-IP system to execute “arbitrary system commands, create or delete files, or disable services.”
There are thousands of BIG-IP systems exposed on the Internet right now, so attackers can remotely exploit the exploit to breach the corporate network.
Yesterday, several security researchers announced that they had created functional exploits and warned administrators to install the latest updates immediately.
Today, the bubble has burst and the exploits have become publicly available as the attacks require only two commands and some headers sent to an unpatched ‘bash’ endpoint exposed to the internet.
At the moment, Twitter is full of the exploit code for CVE-2022-1388 and reports that it is exploited in the wild to launch webshells for long backdoor access.
Actively exploited to drop projectiles
Cronup security researcher Germán Fernández observed threat actors placing PHP webshells in “/tmp/f5.sh” and installing them in “/usr/local/www/xui/common/css/”.
After installation, the payload is executed and then removed from the system:
Kevin Beaumont has also seen exploitation attempts in attacks that did not target the administration interface. The grades that if the F5 system has been configured “as a load balancer and a firewall through its own IP, it is also vulnerable, so this can be complicated”.
However, other researchers have seen CVE-2022-11388 massively exploited against the administration interface.
Suspiciously easy to exploit
The vulnerability is so easy to exploit that some security researchers believe it didn’t end up in products by accident, especially considering that the vulnerable endpoint is called ‘bash’, a popular Linux shell.
jack williamsexecutive director of cyber threat intelligence at Scythe, says the flaw could be the result of a developer error.
dormannCERT/CC vulnerability analyst shares the same sentiment, fearing that it could be a much bigger problem otherwise.
Since the exploit is already widely shared publicly, administrators are strongly advised to install available patches immediately, remove access to the management interface via the public internet, or apply F5-provided mitigations until the fixes can be installed. updates:
The F5 advisory for this vulnerability, which includes detailed information on all security updates and mitigations, can be found here.
To help BIG-IP administrators, researchers at attack surface management company Randori published bash code that determines whether or not CVE-2022-1388 is exploitable on their instances.
[ad_2]
