Researchers have developed PoC exploits for CVE-2022-1388, a critical remote code execution error that affects FIG BIG-IP multi-purpose network devices / modules. At the same time, attempts at exploitation in the wild were discovered.
CVE-2022-1388 PoC exploits
Security researchers began sharing evidence of their successful attempts to use CVE-2022-1388 over the weekend:
– Matus Bursa # stronger together (@BursaMatus) May 9, 2022
🔥 We lost fresh CVE-2022-1388 to BIG-IP F5.
Successful operation may result in an RCE from a user who is not authenticated.
Correct as soon as possible! pic.twitter.com/WjlWtTgSVz
– PT SWARM (@ptswarm) May 7, 2022
The new F5 RCE vulnerability, CVE-2022-1388, is trivial to use. We spent some time looking for unrelated differences in the latest version, however @ jameshorseman2 eventually got the first blood. We will release the POC next week to give organizations more time to fix.# f5 # Cybersecurity pic.twitter.com/O1SivUE4vA
– Horizon3 Attack Team (@ Horizon3Attack) May 6, 2022
The Horizon3 Attack team has announced that it will release PoC this week.
Researcher Kevin Beaumont also noted exploitation attempts:
One thing to note – the exploit attempts I’ve seen so far, not on the mgmt interface.
If you have configured the F5 field as a load balancer and firewall through your own IP, it is also vulnerable, so it can be messy. pic.twitter.com/U4TEcSRmul
– Kevin Beaumont (@GossiTheDog) May 8, 2022
Correct or mitigate operational risk
CVE-2022-1388 is a flaw that can be used by unauthorized attackers remotely to take over vulnerable BIG-IP devices and use this access to execute system commands, create or delete files, or disable services.
Vulnerability was gilded last week from F5, along with many other less critical flaws. The company warned that this could be used via device management port and / or personal IP addresses, and urged administrators to upgrade their BIG-IP settings to a version that provides a fix (17.0.0, 22.214.171.124, 126.96.36.199, 14.1). 4.6 or 13.1.5) or implement the proposed mitigation measures to protect the affected devices / modules:
- Block iControl REST access via its own IP address
- Block iControl REST access through the management interface
- Changing the BIG-IP httpd configuration
Dr. Johannes Ulrich, dean of research at the SANS Institute of Technology, says he usually recommends fixing the fix first and then solving the configuration issues, but in this case users need to change the order of the two steps.
“First, make sure you don’t open the admin interface. If you can’t do it: don’t try to fix it. Turn off the device instead. If the configuration interface is secure: patch, ”he said advised.