A critical vulnerability was found in F5’s BIG-IP systems last week and is now being exploited in the wild. F5 is a leading application service provider and BIG-IP is a combination of software and hardware designed to protect apps and networks against attacks. The company released patches for 43 vulnerabilities, but the most emergent vulnerability is CVE-2022-1388, which was given a CVSS score of 9.8.
CVE-2022-1388 is a lack of authentication check vulnerability that could allow an attacker to take control of an affected system. According to F5, a threat actor could obtain unauthenticated network access to BIG-IP systems through the management port and/or self IP addresses. Customers use self-IP addresses on BIG-IP systems to associate with VLAN. Unauthorized network access could allow the threat actor to execute arbitrary system commands, create or delete files, and disable services. The issue is a control plane issue and does not expose data.
The following BIG-IP products are affected by CVE-2022-1388:
While F5 has patches for versions v17.0.0, v188.8.131.52, v184.108.40.206, v220.127.116.11, and v13.1.5, they will not release a patch for versions 11.x (11.6.1 – 11.6.5) and 12.x (12.1.0 – 12.1.6). CVE-2022-1388 does not impact other F5 products such as BIG-IQ Centralized Management, F5OS-C, Traffic SDC, or F5OS-A.
Over the weekend, analysts developed a working exploit for CVE-2022-1388 and shared evidence of successful exploitation attempts. Because BIG-IP devices are commonly used by enterprises, there is a significant risk of exposure to attacks. Most of the devices are located in India, Australia, U.S., and China. If you are not able to immediately apply the security patches, please follow F5’s temporary mitigations.
Related Reading: An In-Depth Look at Ragnar Locker Ransomware