Application service provider F5 is warning a critical vulnerability allows unauthenticated hackers with network access to execute arbitrary commands on its BIG-IP systems.
The F5 BIG-IP is a combination of software and hardware that is designed around access control, application availability and security solutions.
The vulnerability is tracked as CVE-2022-1388 with a severity rating of 9.8 out of 10 by the Common Vulnerabilities Scoring System (CVSS) version 3.90.
According to F5, the flaw resides in the representational state transfer (REST) interface for the iControl framework which is used to communicate between the F5 devices and users.
Threat actors can send undisclosed requests and leverage the flaw to bypass the iControl REST authentication and access the F5 BIG-IP systems, an attacker can execute arbitrary commands, create or delete files or disable servers.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” said F5 in an advisory. “There is no data plane exposure; this is a control plane issue only,” they added.
A self-IP address is an IP address on a BIG-IP system, that a customer uses to associate with VLAN.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert and advised users to apply the required updates.
The security vulnerability that affects the BIG-IP product version are:
- 1.0 to 16.1.2
- 1.0 to 15.1.5
- 1.0 to 14.1.4
- 1.0 to 13.1.4
- 1.0 to 12.1.6
- 6.1 to 11.6.5
The F5 will not introduce fixes for versions 11.x (11.6.1 – 11.6.5) and 12.x (12.1.0 – 12.1.6).
The patches for versions v17.0.0, v126.96.36.199, v188.8.131.52, v184.108.40.206, and v13.1.5 were introduced by F5.
The advisory by F5 clarifies that the CVE-2022-1388 has no effect on other F5 products – BIG-IQ Centralized Management, F5OS-A, F5OS-C, or Traffic SDC.
The BIG-IP devices are commonly integrated into the enterprises there is a significant threat of widespread attack.
Most of the exposed BIG-IP devices are located in the USA, China, India, and Australia. These systems are allocated to Microsoft corporation, Google LLC, DigitalOcean, and Linode.
Three “temporary mitigation” methods were advised by F5, for those who can’t deploy security patches immediately.
According to F5 “You can block all access to the iControl REST interface of your BIG-IP system through self IP addresses”. This can be done by changing the Port Lockdown settings to Allow None for each self-IP address in the system.
Additionally, F5 has also released a more generic advisory to tackle another set of 17 high severity vulnerabilities discovered and fixed in BIG-IP.
In July 2020, a critical RCE bug left thousands of F5 BIG-IP users’ accounts vulnerable to an attacker.