User’s of F5’s BIG-IP application services could be vulnerable to a critical flaw that allows an unauthenticated attacker on the BIG-IP system to run arbitrary system commands, create or delete files, or disable services.
The vulnerability is recorded as CVE-2022-1388 with a 9.8 severity rating, just below the highest possible rating of 10. The U.S. Cybersecurity and Infrastructure Security Agency has encouraged users and admins to apply updates and workarounds as soon as possible.
The vulnerability can be attacked remotely to infiltrate a corporate network. There are already various POCs (proofs of concept) available publicly on GitHub like this one. Therefore, the best way to fix the issue is to update, as F5 has patched the vulnerability.
In other words, it’s a critical RCE (remote code execution) users and administrators should update as soon as possible.
Also read: Best Patch Management Software & Tools
Vulnerable F5 Devices
At the time of writing, Shodan has listed more than 2,500 vulnerable devices mostly in the U.S., China, and Korea.
In any case, hackers are actively exploiting the flaw and specialists are observing “active scanning and exploitation of the latest F5 vuln,” according to Twitter user Balgan, aka Tiago Henriques of digital insurance firm Coalition:
Which F5 Devices are Vulnerable?
BIG-IP devices prior to version 17.0.0 are vulnerable to attacks. F5 gave a detailed description of the bug:
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.”
Users who want to get the full list can go to the F5 support, although F5 mentioned that the company “evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.”
Not all products are exposed to the highest risk, so make sure you read the instructions carefully on the support page.
There’s also a complete guide to updating and upgrading your BIG-IP device if you need more assistance.
It should be noted that critical CVEs are not fixed for products under version 13:
Products in this category are at high risk and can be attacked by an unauthenticated attacker. However, you should update even if your product is in lower categories (high CVEs, medium CVEs, etc.), as logged-in attackers can still bypass some restrictions.
Also read: 13 Best Vulnerability Scanner Tools
Easy to Exploit
One of the most underappreciated aspects of hacking is probably the ease with which some things can be hacked. Many people think hackers only love challenging exploits that take days, weeks, or even months to achieve, and that can only be solved by masterminds.
While hackers do love challenges, they also keep a pragmatic approach, especially when there’s money and huge stakes involved. If a vulnerability is easy to exploit, they’ll attack it.
Some security researchers, like Jake Williams, are even skeptical about the origin of the flaw:
“I’m not entirely unconvinced that this code wasn’t planted by a developer performing corporate espionage for an incident response firm as some sort of revenue guarantee scheme.”
It’s pretty hard, perhaps impossible to determine for now, but another detail has raised those types of issues – the vulnerable endpoint involved is named “bash,” like the popular Linux shell:
Many public POCs have been published since then. Most require passwords but some managed to exploit the vulnerability without it and even dropped a PHP-based shell, which installs a backdoor on the remote target:
The shell is dropped in “/tmp/f5.sh” and the payload is installed in “/usr/local/www/xui/common/css/.” After execution, the payload is removed.
Another Resource to Determine If You’re Vulnerable
In addition to the list of vulnerable devices, researchers at Randori, a company specializing in attack surface management, published a Bash code to determine if you’re vulnerable or not.
Regardless of its origins, the vulnerability is an emergency, as the exploit is public, quite easy to reproduce, and BIG-IP products are commonly used in enterprises.
While the management interface is massively attacked, it’s not the only possible way, so if you can’t update for some reason, you must at least do the following:
- Block iControl REST access through the self IP address
- Block iControl REST access through the management interface
- Modify the BIG-IP httpd configuration
Routers and network devices are critical points of entry into your environment. It’s essential to update them regularly and not to use the default configurations. In addition, users must choose the right devices with active support, and providers that can patch such vulnerabilities quickly.
Read next: Top Vulnerability Management Tools