Critical F5 BIG-IP Vulnerability Exploited by Hackers
Several F5 BIG-IP Modules Are Impacted.
Last updated on May 11, 2022
Hackers have begun deploying malicious payloads by means of a critical vulnerability identified as CVE-2022-1388, which has an impact on numerous versions of all F5 BIG-IP modules.
F5 issued patches for the BIG-IP iControl REST authentication component security problem (9.8 severity level) last week.
Exploiting the mentioned vulnerability, an unauthenticated threat actor would be able to perform a series of malicious actions on the BIG-IP:
This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.
Thousands of BIG-IP systems are currently accessible on the internet, allowing attackers to remotely exploit the vulnerability and enter the corporate network.
Several security experts have stated recently that they had developed working exploits and advised administrators to upgrade their systems immediately.
Because the attacks just require two commands and certain headers transmitted to an unpatched ‘bash’ endpoint accessible to the internet, the exploits have recently become publicly available.
According to the BleepingComputer publication, the proof-of-exploit code for CVE-2022-1388 is already circulating on Twitter, with indications that it is being used in the wild to drop webshells for extended backdoor access.
Threat Actors Dropping Webshells
Threat actors were dropping PHP webshells to “/tmp/f5.sh” and installed them to “/usr/local/www/xui/common/css/,” according to Cronup security researcher Germán Fernández.
When the installation is complete, the payload would be executed and then taken out from the system.
Kevin Beaumont has also noticed exploitation efforts. However, these attacks’ target was not the management interface.
One thing of note – exploit attempts I’ve seen so far, not on mgmt interface.
If you configured F5 box as a load balancer and firewall via self IP it is also vulnerable so this may get messy. pic.twitter.com/U4TEcSRmul
On the other hand, other researchers claim they’ve noticed exploitation attempts of the management interface through CVE-2022-1388.
Because the vulnerability is so simple to be abused, several security researchers suspect it was not included in the products by mistake, especially considering the name of the vulnerable endpoint (“bash”), a prominent Linux shell.
According to Jake Williams, executive director of cyber threat intelligence at Scythe, the issue could have been caused by a development error.
I’m not entirely unconvinced that this code wasn’t planted by a developer performing corporate espionage for an incident response firm as some sort of revenue guarantee scheme.
Because the vulnerability has already been broadly distributed, administrators should immediately deploy available patches, disable access to the administration interface over the public internet, or use F5’s mitigations until updates are ready to be deployed. The mitigations provided by F5 are the following:
Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!