On Wednesday, Cloud security and ADN provider F5 released patches that contained 43 bugs affecting the company’s many products. Among these bugs, there is a critical one that could lead an unauthenticated attacker to perform the following actions:-
- Execute arbitrary system commands
- Perform file actions
- Disable services on BIG-IP
The 43 issues addressed are rated as follows:-
- One is rated Critical
- 17 are rated High
- 24 are rated Medium
- One is rated Low
The critical one has been assigned to CVE-2022-1388, and it has a CVSS v3 severity ranking of 9.8. This flaw arises as a result of an insufficient authentication check, and it could possibly be exploited by malicious actors to take control of a compromised system.
It is a serious flaw in the iControl REST component. It would allow a malicious actor to send undeclared requests in order to bypass the iControl REST authentication in BIG-IP and circumvent the control.
Here below we have mentioned all the affected products:-
- BIG-IP versions 16.1.0 to 16.1.2
- BIG-IP versions 15.1.0 to 15.1.5
- BIG-IP versions 14.1.0 to 14.1.4
- BIG-IP versions 13.1.0 to 13.1.4
- BIG-IP versions 12.1.0 to 12.1.6
- BIG-IP versions 11.6.1 to 11.6.5
While a fix has been introduced to F5’s customers in versions 17.0.0, 188.8.131.52, 184.108.40.206, 220.127.116.11, and 13.1.5. However, patching will not be applied to the 12.x and 11.x branches.
Apart from this, the advisory clarifies that the following things are not impacted by CVE-2022-1388:-
- BIG-IQ Centralized Management
- Traffic SDC
Five New Vulnerabilities
Moreover, the CISA has published a list of five new vulnerabilities that are based on proof of active exploitation, and here we have listed the flaws below:-
- CVE-2021-1789 – Apple Multiple Products Type Confusion Vulnerability
- CVE-2019-8506 – Apple Multiple Products Type Confusion Vulnerability
- CVE-2014-4113 – Microsoft Win32k Privilege Escalation Vulnerability
- CVE-2014-0322 – Microsoft Internet Explorer Use-After-Free Vulnerability
- CVE-2014-0160 – OpenSSL Information Disclosure Vulnerability
More than 16,000 BIG-IP Devices Exposed
This vulnerability could potentially be exploited in the enterprise by threat actors to gain access to corporate networks using F5 BIG-IP devices.
It appears that Shodan currently shows that 16,142 F5 BIG-IP devices are publicly exposed to the internet, using the query shared by Warfield in the query aforementioned.
Because of this, the network administrators have been advised to patch these devices immediately. Not only that even there has already been considerable effort put into narrowing down the location of the vulnerability by the security researchers.
As a temporary workaround, F5 has offered some workarounds for the time being, and here they are:-
- iControl REST access through the self-IP address should be blocked.
- Block access to the management interface from the iControl REST API.
- Configure BIG-IP HTTPD according to your requirements.