U.S. Cybersecurity and Infrastructure Security Agency (CISA). added recently identified a shortcoming of F5 BIG-IP Directory of known vulnerabilities used following posts about active abuse in the wild.
Disadvantage assigned ID CVE-2022-1388 (CVSS score: 9.8), applies to Fr. critical error at the end point of the BIG-IP iControl REST, which provides an unauthorized adversary by executing arbitrary system commands.
“An attacker can use this vulnerability to do almost anything he wants on a vulnerable server,” – Horizon3.ai said in the report. “This includes making configuration changes, stealing sensitive information and moving aside within the target network.”
Corrections and deficiencies were announced on F5 on May 4, but it was exposed office in the wild operation over the past week, attackers have tried to install a web shell that gives backdoor access to target systems.
“Because of the ease of exploiting this vulnerability, the publicly available exploit code, and the fact that it provides root access, exploitation attempts are likely to increase,” said Rapid7 security researcher Ron Bowes. noted. “Extensive operation is somewhat mitigated a small amount F5 BIG-IP devices with Internet access ”.
While F5 has since revised its recommendation to include what it considers “reliable” indicators of compromise, it warned that “an experienced attacker can remove evidence of compromise, including log files, after successful operation.”
What’s worse, evidence has appeared that remote code execution error is used to completely erase target servers as part of destructive attacks to render them inoperable by issuing “rm -rf / *“command that recursively deletes all files.
“Given that the web server is running as root, it should take care of any vulnerable server and destroy any vulnerable BIG-IP device,” said the SANS Internet Storm Center (ISC). said on Twitter.
In light of the potential impact of this vulnerability, the Federal Civilian Executive Agency (FCEB) has been tasked with fixing all systems against this problem by May 31, 2022.