A proof-of-concept (PoC) has been developed for a critical vulnerability in F5’s BIG-IP networking software which could expose thousands of users to remote takeover.
The vulnerability, tracked as CVE-2022-1388, could allow an attacker to make undisclosed requests to bypass iControl REST authentication.
If exploited, an unauthenticated user could gain remote code execution (RCE) on an affected device.
Thousands vulnerable
Disclosed last week, the bug affects multiple versions of the network management software, which is said to be used by more than 35,000 companies.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” a security advisory warns.
“There is no data plane exposure; this is a control plane issue only.”
PoCs are now being released for the vulnerability, as threat research teams warn users to patch immediately.
Both PT Swarm and Horizon3 Attack Team have released separate PoCs. Both urge users to apply the fix if possible.
Mitigations
F5 has published a list of vulnerable versions and has shared advice on how to protect against the flaw.
The advice reads: “If you are running a version listed in the versions known to be vulnerable column, you can eliminate this vulnerability by installing a version listed in the fixes introduced in column.
“If the fixes introduced in column does not list a version for your branch, then no update candidate currently exists for that branch and F5 recommends upgrading to a version with the fix (refer to the table).
“If the fixes introduced in column lists a version prior to the one you are running, in the same branch, then your version should have the fix.”
Paul Bischoff, privacy advocate at Comparitech, commented: “App developers using BIG-IP services should immediately take steps to mitigate the vulnerability until a patch is ready.
“Those steps include blocking access to the iControl REST interface of your BIG-IP system, restricting access only to trusted users and devices, and/or modifying the BIG-IP httpd configuration.
“Apps using BIG-IP can easily be discovered and targeted using a search engine like Shodan, so developers should expect attackers to exploit vulnerable systems in the near future.”
