DIVD-2022-00027 - F5 BIG-IP iControl REST API remote code execution

Our reference	DIVD-2022-00027
Case lead	Ralph Horn
Author	Pepijn van der Stap
Researcher(s)	Pepijn van der Stap Tom Wolters Victor Pasman Lennaert Oudshoorn Max van der Horst
CVE(s)	CVE-2022-1388
Product	BIG-IP
Versions	16.1.0 - 16.1.2, 15.1.0 - 15.1.5, 14.1.0 - 14.1.4, 13.1.0 - 13.1.4, 12.1.0 - 12.1.6, 11.6.1 - 11.6.5
Recommendation	If you received a notification of a vulnerability, patch your system with the information provided in this notification.
Patch status	Available
Status	Closed
Last modified	03 Nov 2022 12:37

Summary

Days after F5 released patches for a critical remote code execution vulnerability affecting its BIG-IP family of products, a proof of concept exploit code has been released for the vulnerability with attribute CVE-2022-1388. In addition, abuse of this vulnerability has been reported. Organisations are urged to install the updates made available by F5 or to apply mitigating measures.

Impact

By leveraging the vulnerability, an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services.

What you can do

We recommend you to remediate the vulnerability by following F5’s advisory

Fixes are available in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5. Firmware versions 11.x and 12.x will not receive any security updates. You can:

Block iControl REST access through the self IP address
Block iControl REST access through the management interface, and
Modify the BIG-IP httpd configuration

Take the instance offline
Inspect your instance for backdoors, miners if possible. We recommend you to eliminate any possibilities or malware remaining on the server.

What we are doing

DIVD is currently ensuring that the owners of vulnerable systems are being notified. We do this by scanning for vulnerable hosts, verifying the vulnerability and notifying the owners of these systems. If you receive an email from us regarding this case, the vulnerability has been confirmed.
We validate the vulnerability by executing a non-existent command and match the response.

Timeline

Date	Description
10 May 2022	DIVD starts investigating the scope and impact of the vulnerability.
10 May 2022	First version of this case file.
11 May 2022	First round of notifications sent about 500 hosts
15 May 2022	Notified another 130 vulnerable hosts
10 Jun 2022	Rescan, notifications sent out for the remaining vulnerable hosts
10 Jun 2022	Shared the data concerning the Netherlands with the Digital Trust Center and the Dutch Security Clearing House (Security Meldpunt)
25 Jun 2022	After monitoring the decrease in vulnerable systems we’ve decided to close this case.

gantt title DIVD-2022-00027 - F5 BIG-IP iControl REST API remote code execution dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00027 - F5 BIG-IP iControl REST API remote code execution (46 days) :2022-05-10, 2022-06-25 section Events DIVD starts investigating the scope and impact of the vulnerability. : milestone, 2022-05-10, 0d First version of this case file. : milestone, 2022-05-10, 0d First round of notifications sent about 500 hosts : milestone, 2022-05-11, 0d Notified another 130 vulnerable hosts : milestone, 2022-05-15, 0d Rescan, notifications sent out for the remaining vulnerable hosts : milestone, 2022-06-10, 0d Shared the data concerning the Netherlands with the Digital Trust Center and the Dutch Security Clearing House (Security Meldpunt) : milestone, 2022-06-10, 0d After monitoring the decrease in vulnerable systems we’ve decided to close this case. : milestone, 2022-06-25, 0d

DIVD CSIRT