Published Date: 10/5/2022
The purpose of this alert is to bring attention to a CRITICAL vulnerability present in the iControl REST API of F5 BIG-IP products. The vulnerability results in an unauthenticated execution of system commands on affected products.
The Triskele Labs CTI team advises that a Proof-Of-Concept exploit is now publicly available as a cybersecurity researcher named Jinwook Kim has presented a working exploit in the following tweet:
This publicly available exploit enables Threat Actors a direct route to exploiting vulnerable versions of Big IP’s Control REST API in the wild. Triskele Labs advises that all affected organisations immediately engage in mitigations outlined in this report.
On 5 May 2022, security vendor F5 issued a notification describing a critical vulnerability known as CVE-2022-1388 present in the REST component of BIG-IP’s iControl REST API. This API is used for management and configuration of BIG-IP Devices.
The F5 notification indicates that the CVE has a CVSS v3 Score of 9.8, making it CRITICAL.
CVE-2022-1388 allows attackers to bypass authentication and execute arbitrary code on systems. This grants Threat Actors the ability to install malicious software such as webshells or perform other malicious actions including the creation or deletion of files and disabling of services.
It is understood that the vulnerability is present in the following versions of BIG-IP’s iControl REST API:
- 16.1.0 - 16.1.2
- 15.1.0 - 15.1.5
- 14.1.0 - 14.1.4
- 13.1.0 - 13.1.4
- 12.1.0 - 12.1.6
- 11.6.1 - 11.6.5
It should be noted that F5 has declared it will not issue patches for versions within the affected branches of 11.x and 12.x.
If you are utilising an affected version of BIG IP’s iControl REST API, follow the remediation instructions and install the latest patch, available here:
Triskele Labs advises organisations to restrict access to vulnerable versions of the iControl REST API to only trusted IPs and devices.
The Managed Detection and Response team are actively monitoring for suspicious activity within affected environments.
Deployed SIEM and EDR agents on servers and endpoints will aid in detecting Threat Actors successfully accessing an environment and commencing reconnaissance.
References used for the generation of this release: