Security researchers are claiming that they were able to construct an attack for a severe remote code execution vulnerability affecting F5’s BIG-IP family of devices just days after the company provided fixes for the flaw.
The weakness, which has been assigned the number CVE-2022-1388 (CVSS 9.8), is related to an iControl REST authentication bypass that, if properly exploited, might lead to remote code execution, allowing an attacker to obtain initial access and take control of an affected machine. This might include everything from bitcoin mining to the deployment of web shells for follow-on operations like data theft and ransomware.
“We have reproduced the fresh CVE-2022-1388 in F5’s BIG-IP,” cybersecurity company Positive Technologies said in a recent tweet. “Patch ASAP!” The following versions of BIG-IP products are affected by the critical security vulnerability:
- 11.6.1 – 11.6.5
- 12.1.0 – 12.1.6
- 13.1.0 – 13.1.4
- 14.1.0 – 14.1.4
- 15.1.0 – 15.1.5
- 16.1.0 – 16.1.2
Versions 17.0.0, 18.104.22.168, 22.214.171.124, 126.96.36.199, and 13.1.5 all include fixes. Users that rely on firmware versions 11.x and 12.x wouldn’t receive security updates. Thus, they should consider updating to a newer version or using these solutions:
- Block iControl REST access via the self IP address
- Block iControl REST access via the management interface, and
- Amend the BIG-IP httpd configuration
Last month, cybersecurity experts from Australia, Canada, New Zealand, the United Kingdom, and the United States collectively warned that “threat actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide.”
Malicious hacker crews are anticipated to follow suit now that the F5 BIG-IP weakness has been discovered to be straightforward to attack, making it critical that impacted firms implement the updates.