BIG-IP RCE Bug Could Allow Device Takeover
Unauthenticated Attackers with Network Access Might Execute Arbitrary System Commands, Modify Files, and Disable Services on BIG-IP.
F5 Networks is a leading provider of enterprise networking gear, with software and hardware customers like governments, Fortune 500 firms, banks, internet service providers, and largely known consumer brands (Microsoft, Oracle, and Facebook).
The vulnerability has been assigned the name CVE-2022-1388 and has a CVSS v3 severity rating of 9.8, making it a critical vulnerability. Its exploitation has the potential to result in a complete takeover of the system.
As stated in the security alert published by F5, the weakness may be traced back to the iControl REST component, which allows a malicious actor to submit unreported requests in order to circumvent the iControl REST authentication in BIG-IP.
The CISA (Cybersecurity and Infrastructure Security Agency) has also issued a notice today, citing the seriousness of the vulnerability and the extensive use of BIG-IP devices in mission-critical applications.
F5 has released security advisories on vulnerabilities affecting multiple products, including various versions of BIG-IP. Included in the release is an advisory for CVE-2022-1388, which allows undisclosed requests to bypass the iControl REST authentication in BIG-IP. An attacker could exploit CVE-2022-1388 to take control of an affected system.
CISA encourages users and administrators to review the F5 webpage, Overview of F5 vulnerabilities (May 2022), and apply the necessary updates or workarounds.
As BleepingComputer reports, this is the complete list of the affected products:
- BIG-IP versions 16.1.0 to 16.1.2
- BIG-IP versions 15.1.0 to 15.1.5
- BIG-IP versions 14.1.0 to 14.1.4
- BIG-IP versions 13.1.0 to 13.1.4
- BIG-IP versions 12.1.0 to 12.1.6
- BIG-IP versions 11.6.1 to 11.6.5
F5 has released fixes for versions 17.0.0, 18.104.22.168, 22.214.171.124, 126.96.36.199, and 13.1.5 of their products. The 12.x and 11.x series will not receive a patch to correct the problem.
This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.
In addition, the advice emphasizes that CVE-2022-1388 does not affect BIG-IQ Centralized Management, F5OS-A, F5OS-C, or Traffic SDC, as previously stated.
For those who are unable to apply the security upgrades immediately, F5 has given the following three effective mitigations that can be used temporarily in their place.
The BIG-IP httpd configuration can be modified to prevent all access to the iControl REST interface of your BIG-IP system from self IP addresses, restrict access to just trusted users and devices via the management interface, or block all access from self IP addresses.
Despite the fact that F5 has provided all of the information on how to do everything listed above in the warning, some techniques, such as totally restricting access, may have a negative impact on services, including breaking high availability (HA) settings. As a result, if at all possible, installing security updates is still the preferred method of protecting oneself.
Lastly, F5 has issued a broader advisory to cover an additional set of 17 high-severity vulnerabilities that have been discovered and fixed in BIG-IP.
After a fix is introduced for a given minor branch, that fix applies to all subsequent maintenance and point releases for that branch, and no additional fixes for that branch will be listed in the table. For example, when a fix is introduced in 188.8.131.52, the fix also applies to 184.108.40.206, and all later 14.1.x releases (14.1.3.x., 14.1.4.x).
When combined with the widespread use of F5 BIG-IP devices in the enterprise, this vulnerability poses a significant risk of allowing threat actors to gain initial access to corporate networks, therefore network administrators must patch these devices as soon as possible, or at the very least implement the mitigations that have been provided.