Critical F5 BIG-IP Vulnerability Exploited by Hackers
Several F5 BIG-IP Modules Are Impacted.
Hackers have begun deploying malicious payloads by means of a critical vulnerability identified as CVE-2022-1388, which has an impact on numerous versions of all F5 BIG-IP modules.
F5 issued patches for the BIG-IP iControl REST authentication component security problem (9.8 severity level) last week.
Exploiting the mentioned vulnerability, an unauthenticated threat actor would be able to perform a series of malicious actions on the BIG-IP:
This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.
Thousands of BIG-IP systems are currently accessible on the internet, allowing attackers to remotely exploit the vulnerability and enter the corporate network.
Several security experts have stated recently that they had developed working exploits and advised administrators to upgrade their systems immediately.
Because the attacks just require two commands and certain headers transmitted to an unpatched ‘bash’ endpoint accessible to the internet, the exploits have recently become publicly available.
According to the BleepingComputer publication, the proof-of-exploit code for CVE-2022-1388 is already circulating on Twitter, with indications that it is being used in the wild to drop webshells for extended backdoor access.
Threat Actors Dropping Webshells
Threat actors were dropping PHP webshells to “/tmp/f5.sh” and installed them to “/usr/local/www/xui/common/css/,” according to Cronup security researcher Germán Fernández.
When the installation is complete, the payload would be executed and then taken out from the system.
Kevin Beaumont has also noticed exploitation efforts. However, these attacks’ target was not the management interface.
One thing of note – exploit attempts I’ve seen so far, not on mgmt interface.
If you configured F5 box as a load balancer and firewall via self IP it is also vulnerable so this may get messy. pic.twitter.com/U4TEcSRmul
— Kevin Beaumont (@GossiTheDog) May 8, 2022
On the other hand, other researchers claim they’ve noticed exploitation attempts of the management interface through CVE-2022-1388.
Because the vulnerability is so simple to be abused, several security researchers suspect it was not included in the products by mistake, especially considering the name of the vulnerable endpoint (“bash”), a prominent Linux shell.
According to Jake Williams, executive director of cyber threat intelligence at Scythe, the issue could have been caused by a development error.
I’m not entirely unconvinced that this code wasn’t planted by a developer performing corporate espionage for an incident response firm as some sort of revenue guarantee scheme.
If so, brilliant. If not, WTAF… https://t.co/4F237teFa2
— Jake Williams (@MalwareJake) May 9, 2022
Will Dormann, a vulnerability analyst at the CERT/CC, feels the same way, believing that it could become a much greater problem otherwise.
The CVE-2022-1388 vulnerability is surely an honest mistake by an F5 developer, right?
— Will Dormann (@wdormann) May 9, 2022
Recommended Mitigation Measures
Because the vulnerability has already been broadly distributed, administrators should immediately deploy available patches, disable access to the administration interface over the public internet, or use F5’s mitigations until updates are ready to be deployed. The mitigations provided by F5 are the following:
- Using the self IP address to block iControl REST access;
- Using the management interface to block iControl REST access;
- Make changes to the BIG-IP httpd settings.
How Can Heimdal™ Help?
- the shortest vendor-to-end-user waiting time: have your patch ready to be installed in less than 4 hours from the release;
- a broad range of patches from Microsoft and Linux OS to third-party and proprietary patches;
- a variety of effective functionalities like on-demand updates or advanced scheduling.
BOOK a DEMO and see for yourself!