News, news analysis, and commentary on the latest trends in cybersecurity technology.
This Tech Tip walks network administrators through the steps to address the latest critical remote code execution vulnerability (CVE-2022-1388) in F5's BIG-IP management interface.
Heads up for network administrators with F5’s BIG-IP family of networking devices in their environment: There is a new security update available for the newly disclosed critical remote code execution vulnerability (CVE-2022-1388). Several security researchers have already created working exploits, so administrators need to move quickly and secure their networks before the attackers come knocking.
According to security researcher Kevin Beaumont, attackers are already trying to exploit the flaw and and dropping webshells. The vulnerability is "trivial" to exploit, Horizon3 said on Twitter. Horizon3 is among several groups that have already developed a working exploit.
The critical flaw (with a score of 9.8 under the Common Vulnerability Scoring System) affects the BIG-IP iControl REST authentication component, F5 said on May 4. If exploited, remote adversaries can bypass authentication and execute commands with elevated privileges. They could target this vulnerability to gain initial access to the network and move laterally to access other devices on the network.
Considering that BIG-IP devices are widely used in enterprise environments and serve the role of a load balancer, application firewall, and full proxy, this flaw potentially opens enterprise networks to a variety of attacks. Adversaries would be able to steal corporate data, install cryptominers, download and install malware and backdoors, or even disrupt normal business operations by launching a ransomware attack.
Assessment: Is Your Organization Impacted?
BIG-IP is used by 48 of the Fortune 50, F5 says, and there are more than 16,000 instances of BIG-IP discoverable by Shodan. However, the vulnerability affects the management interface, so the vulnerable devices are the ones where the management interface is exposed to the Internet. According to Rapid7 lead security researcher Jacob Baines, that puts the number of affected BIG-IP devices closer to 2,500.
Administrators can execute the following one-line bash command from Randori to determine whether their instance of BIG-IP is exploitable (replace the ADDRESS with the host IP in order to execute the command):
HOST=ADDRESS; if curl -s https://$HOST/mgmt/tm \
--insecure \
-H "Authorization: Basic YWRtaW46" \
-H "X-F5-Auth-Token: 1" \
-H "Connection: X-Forwarded-Host, X-F5-Auth-Token" \
-H "Content-Length: 0" | grep -q "\"items\":\["; then printf "\n[*] $HOST is vulnerable\n"; else printf "\n[*] $HOST doesn't appear vulnerable\n"; fi
The command's output would be either a [*] 192.168.255.2