Blog
The Australian Cyber Security Centre (ACSC) has revealed it is aware of a Proof of Concept (POC) code attacking an F5 Security Advisory Addressing Multiple Vulnerabilities in its BIG-IP Product Range. The CVE-2022-1388 vulnerability (aka F5 BIG-IP Vulnerabilities) allows attackers to circumvent user authentication on web-exposed iControl interfaces, resulting in the execution of arbitrary operations, creation or deletion of files, or deactivation of services.
What are F5 BIG-IP Vulnerabilities?
F5 BIG-IP platform is a collection of software and hardware solutions for application availability, access management, and security. It’s used for a variety of things, including load balancing and application delivery. F5 warned users of the presence of a vulnerability in BIG-IP iControl REST, which allowed unauthorized requests to evade iControl REST authentication. According to F5, the vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system via the management port and/or self IP addresses to execute arbitrary system instructions, create or delete files, or stop services. In other words, the attacker might take the entire control of the affected device.
The F5 BIG-IP vulnerabilities
Information about publicly documented security issues can be found in the Common Vulnerabilities and Exposures (CVE) database. This tool enables data to be transferred easily between tools, databases, and services that address different types of vulnerability. CVE-2022-1388 is the name of the vulnerability, and it has a CVSS score of 9.8. F5 also stated that there is no data plane exposure; this is solely a control plane issue. So, you would assume not much of a problem if the management plan is not connected to the public internet. However, because F5 BIG-IP devices are widely used in companies, this vulnerability poses a considerable danger as it allows threat actors to use the problem to acquire early access to networks before spreading to more devices.
Exploits
Two independent groups of researchers stated on Twitter shortly after the patch that they had created exploits and would publish them soon. Other researchers found that BIG IP was being scanned online. Exploits are frequently discovered through reverse-engineering the modifications made by the patch, which is why patches should be implemented as quickly as feasible. Aside from the potential reputation damages, this is one of the reasons why vendors and open-source maintainers are typically hesitant to submit a CVE. Due to the basic nature of the attack, the researchers who created it advised all administrators to update their devices as soon as possible. The ACSC has now issued a warning about the existence of a proof of concept and hostile actors attempting to exploit this vulnerability on Australian networks.
Mitigation
Three mitigation methods have also been issued for administrators who are unable to upgrade their BIG-IP devices right away. These steps are:
1. Restriction of iControl REST access via the own IP address
You can prohibit any access to your BIG-IP system’s iControl REST interface through self IP addresses. To do so, alter the Port Lockdown settings for each individual IP address in the system to Allow None. If you must open any ports, utilize the Allow Custom option to disable iControl REST access. On single NIC BIG-IP VE instances, iControl REST listens on TCP port 443 or TCP port 8443 by default. If you changed the default port, make sure you do not enable access to the alternative port you set up.
2. Restrict REST access to iControl via the administration interface
According to the report, “To address this vulnerability for impacted F5 products, you should restrict management access to trusted individuals and devices across a secure network.”
3. Changes to the BIG-IP httpd settings
According to the report, “you can modify the BIG-IP httpd configuration to minimize this vulnerability in addition to limiting access through the self IP addresses and administration interface, or as an alternative to blocking access if those alternatives are not possible in your environment.”
Conclusion
The F5 BIG-IP system is a very popular product used by many companies. The newly discovered CVE-2022-1388 flaw might have a huge impact as it can allow attackers to take control of the entire device. If you suspect your organization may be vulnerable to this threat, consult the experts at Packetlabs.
Contact Packetlabs today for a no-cost, no-obligation consultation.