Attention: Members using impacted F5 BIG-IP products are strongly encouraged to pass this information along to IT support personnel and/or third party service providers to be promptly addressed.
As concern continues over the active and trivial exploitation of recent vulnerability (CVE-2022-1388) impacting unpatched F5 BIG-IP devices, CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released joint Cybersecurity Advisory (CSA) AA22-138A, Threat Actors Exploiting F5 BIG-IP CVE-2022-1388 yesterday. As a reminder, the vulnerability allows an unauthenticated actor to gain control of affected systems via the management port or self-IP addresses. System administrators are strongly encouraged to review the joint advisory for actionable detection and response actions, including workarounds, especially for those who may not have patched immediately or otherwise mitigated or remediated the issue in a timely fashion. Access AA22-138A at CISA.
May 10, 2022
Critical Vulnerability Affecting F5 BIG-IP Requires Action
On May 4, 2022, F5 published a security advisory for a critical vulnerability (CVE-2022-1388) impacting its BIG-IP appliances older than version 17. According to the advisory, this vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to gain complete control over a vulnerable system, including execute arbitrary system commands, create or delete files, or disable services.
Action required if you use F5 BIG-IP. If your utility uses an impacted version of F5 BIG-IP, the recommended actions are to make sure the management interface is disconnected from the internet and then patch. However, given active scanning for vulnerable systems, if the management interface is exposed to the internet it is suggested that you consider the appliance compromised and proceed accordingly with threat hunting and incident response to ensure the vulnerability was not exploited prior to patching. For more information and to determine if the BIG-IP in your environment is vulnerable, system administrators are encouraged to review How to Check If Your F5 BIG-IP Device Is Vulnerable.
What is the vulnerability? CVE-2022-1388 is a critical authentication bypass vulnerability allowing a remote code execution. Successful exploitation would allow an unauthenticated attacker to execute arbitrary system commands, create and delete files and disable services. Furthermore, the flaw enables the attacker to execute root commands with no password required.
Is there a patch? Yes. While everything older than BIG-IP 17 is vulnerable, patches are only available for BIG-IP 13-16. BIG-IP 11 and 12 will not be patched.
Is this being actively exploited? Yes. Exploit code is available and multiple sources have reported exploitation.
Additional Resources:
- https://www.darkreading.com/dr-tech/how-to-check-if-your-f5-big-ip-device-is-vulnerable
- https://www.securityweek.com/technical-details-iocs-available-actively-exploited-big-ip-vulnerability
- https://isc.sans.edu/forums/diary/F5+BIGIP+Unauthenticated+RCE+Vulnerability+CVE20221388/28624/
- https://support.f5.com/csp/article/K23605346
- https://www.tenable.com/blog/cve-2022-1388-authentication-bypass-in-f5-big-ip
- https://www.scythe.io/library/f5-big-ip-cve-2022-1388
- https://arstechnica.com/information-technology/2022/05/hackers-are-actively-exploiting-big-ip-vulnerability-with-a-9-8-severity-rating/