A critical flaw in F5 BIG-IP systems is being actively exploited by threat actors. BIG-IP systems are software/hardware solutions that are used for access control, application availability, and security. The flaw, tracked as CVE-2022-1388, was disclosed last week by F5 and was assigned a CVSS severity score of 9.8 out of 10. The flaw affects the iControl REST authentication component which is used for communication between the F5 devices and users. The vulnerability can be exploited remotely and allows unauthenticated attackers to execute commands on BIG-IP devices with root privileges.
The flaw is incredibly easy to exploit, which has led some security researchers to think that the bug was not a mistake by a developer but was deliberately introduced. The reason being, the flaw can be exploited with just two commands and some headers sent to a ‘bash’ endpoint exposed to the Internet. Bash is a popular Linux shell.
Just a few days after the announcement about the vulnerabilities, exploits for the flaw started to be publicly released by researchers, and threat actors started to use them in attacks on unpatched systems. Multiple threat actors have been exploiting the flaws to deliver webshells that provide network access, enumerate system information, steal SSH keys, create admin accounts on vulnerable devices, and drop malicious payloads; however, one threat actor has been exploiting the vulnerability in a malicious attack that erases all files on the Linux system of BIG-IP devices.
The flaw affects the following BIG-IP product versions:
- 1.0 to 16.1.2
- 1.0 to 15.1.5
- 1.0 to 14.1.4
- 1.0 to 13.1.4
- 1.0 to 12.1.6
- 6.1 to 11.6.5
The flaw can be exploited on BIG-IP devices that are exposed to the Internet and Shodan scans indicate almost 16,000 BIG-IP devices are exposed to the Internet and are potentially vulnerable. F5 has released patches to correct the vulnerability in versions 14.1.4.6, 15.1.5.1, 16.1.2.2, and 17.0.0. Patches will not be released to fix the vulnerability in versions 12.1.1-12.1.6 and 11.6.1 to 11.6.5.
Due to the widespread exploitation of the flaws, immediate patching is required. If it is not possible to immediately patch, F5 has suggested the following mitigations:
- Block iControl REST access through the self IP address
- Block iControl REST access through the management interface
- Modify the BIG-IP httpd configuration
Further information on how to implement the mitigation is available here.