CVE-2022-1388 F5 BIG-IP– Executive Summary
F5 issued a security warning on May 4, 2022, informing the public about a serious flaw in its BIG-IP product’s iControlREST module, which is designated as CVE-2022-1388. This vulnerability may be exploited by attackers to circumvent authentication and execute malicious code on machines that have not been updated. It is a crucial vulnerability that requires immediate action because it has received a 9.8 CVSS score. Since the warning was released, there has been a surge in mass scanning activities aimed at identifying unpatched systems, and there have been instances of exploitation in the wild.
CVE-2022-1388 F5 BIG-IP Arbitrary Command Execution
BIG-IP’s F5 devices cater to a wide variety of networking applications like security, load balancing, application availability, etc. In 2022, a vulnerability was identified in the F5 series product that, when exploited, could lead to arbitrary code execution. The vulnerability arises due to access being provided to the bash service via the URL “/mgmt/tm/util/bash” without requiring any authentication. The conditions required to gain access to an exposed system and execute code are very trivial, as detailed in the report. *
For a successful attack the following conditions had to be met—
- The management IP address accessible to the attacker.
- X-F5-Auth-Token header must be present and it can be set to any value.
- The Authorization header field must contain the username “admin” in base64 encoded format.
- In the POST request the “Command” parameter should be set to “run” and “utilCmdArgs” parameter is set to a command of the attackers choosing.
According to the report, 48 of the Fortune 50 companies use the F5 product, and because of this wide adoption of the product, the attack occurred on a large-scale, affecting devices that had the management port exposed to the internet. Devices that aren’t exposed to the internet could be affected if an attacker compromises the target network and reaches a vulnerable F5 device internally. There are publicly available PoCs that enable one to test if their device is vulnerable. Customers are advised to follow the BIG-IP advisory and have their systems updated.