Security researchers claim to have created an exploit for a recently disclosed remote code execution (RCE) bug that affects F5 Network’s BIG-IP family of networking devices/modules and could enable an attacker to execute commands on a vulnerable device with elevated privileges.
Tracked CVE-2022-1388 and with a CVSS base score of 9.8, the flaw is found within the iControl REST authentication component and could enable a remote threat actor to bypass an authentication check and perform total system takeover.
Researchers from cybersecurity firms Positive Technologies and Horizon3 have said they were able to create exploits for the new F5 BIG-IP bug.
“We have reproduced the fresh CVE-2022-1388 in F5’s BIG-IP,” Positive Technologies stated on Friday. “Patch ASAP!”
Horizon3’s Chief Attack Engineer, Zach Hanley, told BleepingComputer that they were able to discover the flaw in just two days and expect threat actors to start hacking devices shortly.
“Given that the mitigations released by F5 for CVE-2022-1388 were a very large hint at where to look when reversing the application, we expect that threat actors may have also discovered the root cause as well,” Hanley said.
“It took the Horizon3.ai attack team of two security researchers two days to track down the root cause, so we fully expect by the end of next week that this will be taken advantage of by threat actors.”
The impact of this issue will be considerable, according to Hanley, since it allows threat actors to get root access to devices, which hackers would employ to gain initial access to corporate networks.
Horizon3 said they would publicly release the proof-of-concept (PoC) exploit this week to push companies to install updates quickly.
Last week, F5 released patches for the bug and advised BIG-IP admins to immediately install the security updates.
The new F5 RCE vulnerability, CVE-2022-1388, is trivial to exploit. We spent some time chasing unrelated diffs within the newest version, but @jameshorseman2 ultimately got first blood. We’ll release a POC next week to give more time for orgs to patch.#f5 #CyberSecurity pic.twitter.com/O1SivUE4vA
— Horizon3 Attack Team (@Horizon3Attack) May 6, 2022
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” the company stated in its advisory.
The bug affects the following versions of BIG-IP products:
- 16.1.0 – 16.1.2
- 15.1.0 – 15.1.5
- 14.1.0 – 14.1.4
- 13.1.0 – 13.1.4
- 12.1.0 – 12.1.6
- 11.6.1 – 11.6.5
Versions 17.0.0, 18.104.22.168, 22.214.171.124, 126.96.36.199, and 13.1.5 include fixes.
Organisations that use firmware versions 11.x and 12.x should consider updating to a newer version or using the workarounds as these versions will not receive security upgrades.
In the event that a fixed version cannot be installed, F5 has suggested some mitigating measures. They are:
- blocking access to the iControl REST interface via self IP addresses,
- blocking iControl REST access through the management interface
- modifying the BIG-IP httpd configuration
Security flaws in BIG-IP devices are frequently exploited by various hacking groups, including state-sponsored hackers, thus organisations should act quickly to patch their devices.
According to F5 Networks, 48 of the Fortune 50 companies use BIG-IP networking devices/modules to manage and analyse network and application traffic. These devices are used as server load balancers, access gateways, application delivery controllers and firewalls by telecommunications firms, big cloud service providers and government agencies.
According to Rapid7 researcher Jacob Baines, around 2,500 devices are still accessible to the Internet, making the F5 BIG-IP flaw a significant organisational risk.