DIVD-2022-00027 - F5 BIG-IP iControl REST API remote code execution
|Case lead||Ralph Horn|
|Author||Pepijn van der Stap|
|Versions||16.1.0 - 16.1.2, 15.1.0 - 15.1.5, 14.1.0 - 14.1.4, 13.1.0 - 13.1.4, 12.1.0 - 12.1.6, 11.6.1 - 11.6.5|
|Recommendation||If you received a notification of a vulnerability, patch your system with the information provided in this notification.|
|Last modified||08 Dec 2022 16:28|
Days after F5 released patches for a critical remote code execution vulnerability affecting its BIG-IP family of products, a proof of concept exploit code has been released for the vulnerability with attribute CVE-2022-1388. In addition, abuse of this vulnerability has been reported. Organisations are urged to install the updates made available by F5 or to apply mitigating measures.
By leveraging the vulnerability, an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services.
What you can do
- We recommend you to remediate the vulnerability by following F5’s advisory
Fixes are available in versions 17.0.0, 220.127.116.11, 18.104.22.168, 22.214.171.124, and 13.1.5. Firmware versions 11.x and 12.x will not receive any security updates. You can:
- Block iControl REST access through the self IP address
- Block iControl REST access through the management interface, and
- Modify the BIG-IP httpd configuration
Take the instance offline
Inspect your instance for backdoors, miners if possible. We recommend you to eliminate any possibilities or malware remaining on the server.
What we are doing
- DIVD is currently ensuring that the owners of vulnerable systems are being notified. We do this by scanning for vulnerable hosts, verifying the vulnerability and notifying the owners of these systems. If you receive an email from us regarding this case, the vulnerability has been confirmed.
- We validate the vulnerability by executing a non-existent command and match the response.
|10 May 2022||DIVD starts investigating the scope and impact of the vulnerability.|
|10 May 2022||First version of this case file.|
|11 May 2022||First round of notifications sent about 500 hosts|
|15 May 2022||Notified another 130 vulnerable hosts|
|10 Jun 2022||Rescan, notifications sent out for the remaining vulnerable hosts|
|10 Jun 2022||Shared the data concerning the Netherlands with the Digital Trust Center and the Dutch Security Clearing House (Security Meldpunt)|
|25 Jun 2022||After monitoring the decrease in vulnerable systems we’ve decided to close this case.|