The Australian Cyber Security Centre (ACSC) has announced it is aware of the existence of Proof of Concept (PoC) code exploiting a F5 Security Advisory Addressing Multiple Vulnerabilities in its BIG-IP Product Range.
The vulnerability listed as CVE-2022-1388 allows attackers to bypass authentication on internet-exposed iControl interfaces, potentially executing arbitrary commands, creating or deleting files, or disabling services.
The BIG-IP platform by F5 is a family of products covering software and hardware designed around application availability, access control, and security solutions. It is used for various applications like load balancing and application delivery.
On May 4, 2022 F5 notified users of the existence of a vulnerability in BIG-IP iControl REST where undisclosed requests could bypass iControl REST authentication. F5 stated that the vulnerability could allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. The attacker, in other words, could gain complete control over the affected device.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed as CVE-2022-1388 and received a CVSS score of 9.8 out of 10.
F5 added that there is no data plane exposure; this is a control plane issue only. So, not much of a problem if the management plane is not exposed to the public Internet, you would think. But since F5 BIG-IP devices are commonly used in enterprises, this vulnerability is a significant risk as it would allow threat actors to exploit the bug to gain initial access to networks and then spread laterally to other devices. And experts estimate based on online searches there are some 2,500 devices exposed to the Internet.
Soon after the patch, two separate groups of researchers announced on Twitter that they had developed exploits and would publish them soon. Other researchers noticed online scanning was ongoing for BIG IP.
Exploits are often found by reverse engineering the changes made by the patch, which is one of the reasons why patches should be applied as soon as possible. Besides assumed reputation damage, this is a reason why vendors and open source maintainers are often hesitant to request a CVE.
The researchers that created the exploits warned that all admins should immediately update their devices as soon as possible due to the trivial nature of the exploit. Now the ACSC has warned about the existence of a proof of concept, and attempts by malicious actors to exploit this vulnerability on Australian networks.
A list of vulnerable products and versions can be found in the F5 KB article. Experts recommend to take Internet-facing devices offline and check if they are safe first, before applying the patches. If an attacker has already planted a backdoor, they can still control the product even after patching.
Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.
- Block iControl REST access through the self IP address
- Block iControl REST access through the management interface
- Modify the BIG-IP httpd configuration
For future use, this F5 BIG-IP Security Cheatsheet is a great resource to make sure your product is configured securely, and that attackers will not have access to the management interface from the Internet.
Please note that BIG-IP 11 and 12 are vulnerable as well but these are too old to be patched.
Stay safe, everyone!