An exploit for the recently disclosed CVE-2022-1388 remote code execution critical vulnerability has been created and published, warning F5 BIG-IP administrators to immediately install the latest security updates.
F5 has disclosed a new critical remote code execution vulnerability in BIG-IP network equipment, tracked as CVE-2022-1388.
This vulnerability affects the BIG-IP iControl REST authentication component and allows an attacker to bypass authentication and execute commands on the device with privilege escalation.
Because F5 BIG-IP devices are commonly used in the enterprise, this vulnerability poses a significant risk because an attacker could exploit this vulnerability to gain access to the network and deploy laterally to other devices.
This type of attack can be used to steal corporate data or deploy ransomware to all devices on a network.
Easy to create exploits
Cybersecurity researchers from Horizon3 and Positive Technologies have successfully created an exploit against a new vulnerability in the F5 BIG-IP. They warn that this exploit is so simple that all administrators need to update their devices as soon as possible.
Zach Hanley, chief attack engineer for Horizon3, expects that it will take only two days to discover the exploit and attackers will begin exploiting the device immediately.
Given that the response released by F5 to CVE-2022-1388 was a very big hint as to where to look when reverse engineering an application, we We expect that they are discovering attack techniques as well
Hanley also warns that the impact of this exploit is significant because it allows attackers root access to the device, which hackers will use to gain initial access to corporate networks.
It is a relief that this vulnerability only affects the administrative side of devices that should not be exposed to the Internet
However, Rapid7 researcher Jacob Baines tweeted that there are still 2,500 devices exposed to the Internet, which is a considerable risk to businesses.
Horizon3 said it will release a proof-of-concept exploit this week to encourage businesses to patch their devices.
Immediately install security updates
F5 has already released a BIG-IP security update applicable to the following firmware versions.
- BIG-IP versions 16.1.0 to 16.1.2 (patch release)
- BIG-IP versions 15.1.0 to 15.1.5 (patch release)
- BIG-IP versions 14.1.0 to 14.1.4 (patch release)
- BIG-IP versions 13.1.0 to 13.1.4 (patch release)
- BIG-IP versions 12.1.0 to 12.1.6 (no longer supported)
- BIG-IP versions 11.6.1 to 11.6.5 (no longer supported)
End users running firmware versions 11.x and 12.x will not receive security updates and should upgrade to the new versions as soon as possible.
F5 has also published three accommodations that can be used by administrators who cannot upgrade their BIG-IP devices immediately. Block iControl REST access via own IP addressBlock iControl REST access via management interfaceChange BIG-IP httpd settings
However, it is strongly recommended that administrators schedule the installation of security updates as soon as possible, even after the corresponding measures have been applied.