F5 BIG-IP systems vulnerable to remote takeover

Application security and delivery vendor F5 has issued patches for its BIG-IP platform, to address a critical bug that could be abused to remotely take over vulnerable systems.

The flaw lies in representational state transfer (REST) interface for the iControl framework, used to interact between users or scripts, and F5 devices.

Unauthenticated users who can access F5 BIG-IP systems' management port or "self IP addresses" can bypass the iControl REST authentication, F5 advised.

A self IP address is an IP address on the BIG-IP system that customers associate with a VLAN, to access hosts in that VLAN.

The authentication bypass lets attackers run arbitrary system commands, create or delete files, and disable services on vulnerable BIG-IP systems.

Software branches 13.x - 16.x have vulnerable versions of the bug, which is rated at 9.8 out of 10 on the Common Vulnerabilities Scoring System (CVSS) version 3.90.

F5 said the older 12.x and 13.x branches won't receive fixes for the bug.

There are temporary mitigation measures available, such as blocking iControl REST access through the self IP address, or through the management interface.

Administrators can also tweak the httpd server daemon in BIG-IP to block iControl REST access.

The United States government Cybersecurity and Infrastructure Security Agency (CISA) advised users to apply the necessary updates for F5 BIG-IP, or workarounds.

In Australia alone, Shodan found 895 F5 BIG-IP systems reachable at networks allocated to Microsoft, Google, AliCloud, Amazone and Linode.

Worldwide, the number of systems believed to be vulnerable is over 16,000.

In 2020, a critical bug in F5 products ended up being exploited by attackers dropping crypto currency miners, and webshells, on unpatched devices.

Update: Two teams of security researchers demonstrated exploits for the bugs late last week.

Horizon3 Attack Tweeted: "The new F5 RCE vulnerability, CVE-2022-1388, is trivial to exploit. We spent some time chasing unrelated diffs within the newest version, but 
@jameshorseman2 ultimately got first blood. We'll release a POC next week to give more time for orgs to patch."

PT Swarm also found an attack vector: "We have reproduced the fresh CVE-2022-1388 in F5's BIG-IP. Successful exploitation could lead to RCE from an unauthenticated user. Patch ASAP!"