Heads up for network administrators with F5’s BIG-IP family of networking devices in their environment: There is a new security update available for the newly disclosed critical remote code execution vulnerability (CVE-2022-1388). Several security researchers have already created working exploits, so administrators need to move quickly and secure their networks before the attackers come knocking.
According to security researcher Kevin Beaumont, attackers are already trying to exploit the flaw and and dropping webshells. The vulnerability is "trivial" to exploit, Horizon3 said on Twitter. Horizon3 is among several groups that have already developed a working exploit.
The critical flaw (with a score of 9.8 under the Common Vulnerability Scoring System) affects the BIG-IP iControl REST authentication component, F5 said on May 4. If exploited, remote adversaries can bypass authentication and execute commands with elevated privileges. They could target this vulnerability to gain initial access to the network and move laterally to access other devices on the network.
Considering that BIG-IP devices are widely used in enterprise environments and serve the role of a load balancer, application firewall, and full proxy, this flaw potentially opens enterprise networks to a variety of attacks. Adversaries would be able to steal corporate data, install cryptominers, download and install malware and backdoors, or even disrupt normal business operations by launching a ransomware attack.
Assessment: Is Your Organization Impacted?
BIG-IP is used by 48 of the Fortune 50, F5 says, and there are more than 16,000 instances of BIG-IP discoverable by Shodan. However, the vulnerability affects the management interface, so the vulnerable devices are the ones where the management interface is exposed to the Internet. According to Rapid7 lead security researcher Jacob Baines, that puts the number of affected BIG-IP devices closer to 2,500.
Administrators can execute the following one-line bash command from Randori to determine whether their instance of BIG-IP is exploitable (replace the ADDRESS with the host IP in order to execute the command):
HOST=ADDRESS; if curl -s https://$HOST/mgmt/tm \ --insecure \ -H "Authorization: Basic YWRtaW46" \ -H "X-F5-Auth-Token: 1" \ -H "Connection: X-Forwarded-Host, X-F5-Auth-Token" \ -H "Content-Length: 0" | grep -q "\"items\":\["; then printf "\n[*] $HOST is vulnerable\n"; else printf "\n[*] $HOST doesn't appear vulnerable\n"; fi
The command's output would be either a [*] 192.168.255.2 (for example) is vulnerable or [*] 192.168.255.2 doesn't appear vulnerable message.
"First, make sure you are not exposing the admin interface. If you can't manage that: Don't try patching. Turn off the device instead. If the configuration interface is safe: Patch," Johannes Ullrich, dean of research at SANS Technology Institute, wrote on the InfoSec Handlers Diary.
Take Action: Apply the Security Update
F5 has released security updates for BIG-IP for the following firmware versions:
- BIG-IP versions 16.1.0 to 16.1.2
- BIG-IP versions 15.1.0 to 15.1.5
- BIG-IP versions 14.1.0 to 14.1.4
- BIG-IP versions 13.1.0 to 13.1.4
There is no security update being released for firmware versions 11.x and 12.x (11.6.1 to 11.6.5 and 12.1.0 to 12.1.6) because they are no longer supported. Administrators should upgrade to a newer version as soon as possible.
Close the Gaps: Apply Mitigations Where Needed
F5 released three mitigations for cases where the BIG-IP devices cannot be updated right away. The mitigations are intended to be a temporary measure — administrators should apply the update or, in the case of an unsupported firmware version, upgrade to the newer version as soon as possible.