Security researchers are warning F5 BIG-IP admins to immediately install the latest security updates after creating exploits for a recently disclosed critical CVE-2022-1388 remote code execution vulnerability.
Last week, F5 disclosed a new critical remote code execution in BIG-IP networking devices tracked as CVE-2022-1388. This vulnerability affects the BIG-IP iControl REST authentication component and allows remote threat actors to bypass authentication and execute commands on the device with elevated privileges.
As F5 BIG-IP devices are commonly used in the enterprise, this vulnerability is a significant risk as it would allow threat actors to exploit the bug to gain initial access to networks and then spread laterally to other devices.
These types of attacks could be used to steal corporate data or deploy ransomware on all of the network’s devices.
Exploits easily created
This weekend, cybersecurity researchers from Horizon3 and Positive Technologies were both able to create exploits for the new F5 BIG-IP vulnerability. They warned that all admins should immediately update their devices as soon as possible due to the trivial nature of the exploit.
Zach Hanley, Chief Attack Engineer at Horizon3, told BleepingComputer that it took them only two days to discover the exploit and expect threat actors to begin exploiting devices soon.
“Given that the mitigations released by F5 for CVE-2022-1388 were a very large hint at where to look when reversing the application, we expect that threat actors may have also discovered the root cause as well,” Hanley told BleepingComputer via email.
“It took the Horizon3.ai attack team of two security researchers two days to track down the root cause, so we fully expect by end of next week that this will be taken advantage of by threat actors.”
Hanley also warned that the impact of this exploit would be significant as it allows threat actors to gain root access to the devices, which hackers will use for initial access to the corporate networks.
“The saving grace here is that this vulnerability only affects the management side of the device, which should not be exposed to the internet,” continued Hanley.
However, Rapid7 researcher Jacob Baines tweeted that there are still 2,500 devices exposed to the Internet, making this a substantial risk to the enterprise.
Horizon3 says they will be publicly releasing their proof-of-concept exploit this week to push organizations to patch their devices.
Install security updates immediately
The good news is that F5 has already released BIG-IP security updates that admins can apply for the following firmware versions:
- BIG-IP versions 16.1.0 to 16.1.2 (Patch released)
- BIG-IP versions 15.1.0 to 15.1.5 (Patch released)
- BIG-IP versions 14.1.0 to 14.1.4 (Patch released)
- BIG-IP versions 13.1.0 to 13.1.4 (Patch released)
- BIG-IP versions 12.1.0 to 12.1.6 (End of Support)
- BIG-IP versions 11.6.1 to 11.6.5 (End of Support)
Those running firmware versions 11.x and 12.x will not receive security updates and should upgrade to a newer version as soon as possible.
F5 has also released three mitigations that can be used by admins who cannot upgrade their BIG-IP devices immediately:
- Block iControl REST access through the self IP address
- Block iControl REST access through the management interface
- Modify the BIG-IP httpd configuration
However, even after applying mitigations, it is strongly advised that admins schedule the installation of the security updates as soon as possible.